DEV Community: Matthew The latest articles on DEV Community by Matthew (@matthewdipo). https://dev.to/matthewdipo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2968204%2Fd722f79d-c63b-4895-81c0-b4a80d203dfd.jpeg DEV Community: Matthew https://dev.to/matthewdipo en Appendix: Live System Output Matthew Thu, 28 May 2026 18:51:02 +0000 https://dev.to/matthewdipo/appendix-live-system-output-4p3e https://dev.to/matthewdipo/appendix-live-system-output-4p3e <h2> Appendix: Live System Output — Real Pipeline in Production </h2> <p><em>All output below was captured live from the running pipeline on 2026-03-08.</em><br> <em>These are not mock outputs — they come from actual AWS infrastructure and Kubernetes clusters.</em></p> <h2> ArgoCD — All 50 Applications Across 6 Clusters </h2> <p>The following is the live output of <code>argocd app list</code> from the hub cluster (<code>myapp-production-use1</code>).<br> Every component of the pipeline is represented — security, logging, monitoring, backups, and the application itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>argocd app list <span class="nt">--output</span> wide <span class="go"> NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH argocd/argo-rollouts-myapp-production-use1 myapp-production-use1 argo-rollouts production Synced Healthy argocd/argo-rollouts-myapp-production-usw2 myapp-production-usw2 argo-rollouts production Synced Healthy argocd/aws-lbc-myapp-production-use1 myapp-production-use1 kube-system production Synced Healthy argocd/eso-myapp-production-use1 myapp-production-use1 external-secrets production OutOfSync Healthy ← known false positive argocd/eso-myapp-production-usw2 myapp-production-usw2 external-secrets production OutOfSync Healthy ← known false positive argocd/falco-myapp-dev-use1 myapp-dev-use1 falco production Synced Healthy argocd/falco-myapp-dev-usw2 myapp-dev-usw2 falco production Synced Healthy argocd/falco-myapp-production-use1 myapp-production-use1 falco production Synced Healthy argocd/falco-myapp-production-usw2 myapp-production-usw2 falco production Synced Healthy argocd/falco-myapp-staging-use1 myapp-staging-use1 falco production Synced Healthy argocd/falco-myapp-staging-usw2 myapp-staging-usw2 falco production Synced Healthy argocd/fluent-bit-myapp-dev-use1 myapp-dev-use1 logging production Synced Healthy argocd/fluent-bit-myapp-dev-usw2 myapp-dev-usw2 logging production Synced Healthy argocd/fluent-bit-myapp-production-use1 myapp-production-use1 logging production Synced Healthy argocd/fluent-bit-myapp-production-usw2 myapp-production-usw2 logging production Synced Healthy argocd/fluent-bit-myapp-staging-use1 myapp-staging-use1 logging production Synced Healthy argocd/fluent-bit-myapp-staging-usw2 myapp-staging-usw2 logging production Synced Healthy argocd/karpenter-myapp-production-use1 myapp-production-use1 karpenter production Synced Healthy argocd/karpenter-myapp-production-usw2 myapp-production-usw2 karpenter production Synced Healthy argocd/kyverno-myapp-dev-use1 myapp-dev-use1 kyverno production Synced Healthy argocd/kyverno-myapp-dev-usw2 myapp-dev-usw2 kyverno production Synced Healthy argocd/kyverno-myapp-production-use1 myapp-production-use1 kyverno production Synced Healthy argocd/kyverno-myapp-production-usw2 myapp-production-usw2 kyverno production Synced Healthy argocd/kyverno-myapp-staging-use1 myapp-staging-use1 kyverno production Synced Healthy argocd/kyverno-myapp-staging-usw2 myapp-staging-usw2 kyverno production Synced Healthy argocd/kyverno-policies-myapp-dev-use1 myapp-dev-use1 kyverno production Synced Healthy argocd/kyverno-policies-myapp-dev-usw2 myapp-dev-usw2 kyverno production Synced Healthy argocd/kyverno-policies-myapp-production-use1 myapp-production-use1 kyverno production Synced Healthy argocd/kyverno-policies-myapp-production-usw2 myapp-production-usw2 kyverno production Synced Healthy argocd/kyverno-policies-myapp-staging-use1 myapp-staging-use1 kyverno production Synced Healthy argocd/kyverno-policies-myapp-staging-usw2 myapp-staging-usw2 kyverno production Synced Healthy argocd/myapp-dev-myapp-dev-use1 myapp-dev-use1 dev dev OutOfSync Healthy ← ESO drift (expected) argocd/myapp-dev-myapp-dev-usw2 myapp-dev-usw2 dev dev OutOfSync Healthy ← ESO drift (expected) argocd/myapp-production-myapp-production-use1 myapp-production-use1 production production OutOfSync Healthy ← ESO drift (expected) argocd/myapp-production-myapp-production-usw2 myapp-production-usw2 production production OutOfSync Healthy ← ESO drift (expected) argocd/myapp-staging-myapp-staging-use1 myapp-staging-use1 staging staging Synced Healthy argocd/myapp-staging-myapp-staging-usw2 myapp-staging-usw2 staging staging Synced Healthy argocd/prometheus-myapp-production-use1 myapp-production-use1 monitoring production OutOfSync Degraded ← webhook job timeout (expected) argocd/prometheus-myapp-production-usw2 myapp-production-usw2 monitoring production OutOfSync Healthy ← prometheus webhook drift (expected) argocd/prometheus-myapp-staging-use1 myapp-staging-use1 monitoring production OutOfSync Healthy argocd/prometheus-myapp-staging-usw2 myapp-staging-usw2 monitoring production OutOfSync Healthy argocd/velero-myapp-dev-use1 myapp-dev-use1 velero production Synced Healthy argocd/velero-myapp-dev-usw2 myapp-dev-usw2 velero production Synced Healthy argocd/velero-myapp-production-use1 myapp-production-use1 velero production Synced Healthy argocd/velero-myapp-production-usw2 myapp-production-usw2 velero production Synced Healthy argocd/velero-myapp-staging-use1 myapp-staging-use1 velero production Synced Healthy argocd/velero-myapp-staging-usw2 myapp-staging-usw2 velero production Synced Healthy </span></code></pre> </div> <h2> ArgoCD — All 6 Clusters Registered and Reachable </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>argocd cluster list <span class="go"> SERVER NAME VERSION STATUS https://3C0575BCE3279BAFF3BB2D5B8444226A.gr7.us-west-2.eks.amazonaws.com myapp-dev-usw2 1.29+ Successful https://5079196FCF4ED5112E09CA85D7B8650F.gr7.us-west-2.eks.amazonaws.com myapp-staging-usw2 1.29+ Successful https://EA3C5197A0C39EA32557D04B8A2240EA.gr7.us-west-2.eks.amazonaws.com myapp-production-usw2 1.29+ Successful https://654498BA82E54D67E79FE325057C464B.gr7.us-east-1.eks.amazonaws.com myapp-dev-use1 1.29+ Successful https://6C4AB3A81EFDB980A8356D40C1590263.gr7.us-east-1.eks.amazonaws.com myapp-staging-use1 1.29+ Successful https://kubernetes.default.svc myapp-production-use1 1.29+ Successful </span></code></pre> </div> <p>All 6 clusters show <code>Successful</code> — the ArgoCD hub on <code>myapp-production-use1</code> can communicate with all spoke clusters via VPC peering (private endpoints) and public endpoints (dev).</p> <h2> EKS Nodes — Live Cluster Status </h2> <h3> Dev Clusters (public endpoints, Kubernetes 1.29) </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> dev-use1 get nodes <span class="go"> ip-10-0-15-182.ec2.internal Ready v1.29.15-eks-ecaa3a6 ip-10-0-22-241.ec2.internal Ready v1.29.15-eks-ecaa3a6 ip-10-0-27-28.ec2.internal Ready v1.29.15-eks-ecaa3a6 </span><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> dev-usw2 get nodes <span class="go"> ip-10-1-28-16.us-west-2.compute.internal Ready v1.29.15-eks-ecaa3a6 ip-10-1-3-187.us-west-2.compute.internal Ready v1.29.15-eks-ecaa3a6 ip-10-1-7-181.us-west-2.compute.internal Ready v1.29.15-eks-ecaa3a6 </span></code></pre> </div> <h3> Production Cluster — myapp-production-use1 (private endpoint) </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get nodes <span class="nt">-o</span> wide <span class="go"> NAME STATUS VERSION INTERNAL-IP INSTANCE-TYPE ip-10-20-2-113.ec2.internal Ready v1.29.15-eks-ecaa3a6 10.20.2.113 t3.medium ip-10-20-24-200.ec2.internal Ready v1.29.15-eks-ecaa3a6 10.20.24.200 t3.medium ip-10-20-26-204.ec2.internal Ready v1.29.15-eks-ecaa3a6 10.20.26.204 t3.medium ip-10-20-7-170.ec2.internal Ready v1.29.15-eks-ecaa3a6 10.20.7.170 t3.medium </span></code></pre> </div> <p>All nodes: <code>Ready</code>, Kubernetes <code>v1.29.15-eks-ecaa3a6</code>, VPC private IPs in the <code>10.20.0.0/16</code> CIDR (production-use1).</p> <h2> Application — Running Pods in Production </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get pods <span class="nt">-n</span> production <span class="go"> NAME READY STATUS RESTARTS AGE myapp-production-myapp-production-use1-myapp-9985ccc88-f7rxj 1/1 Running 1 11d myapp-production-myapp-production-use1-myapp-9985ccc88-l2sh2 1/1 Running 0 11d myapp-production-myapp-production-use1-myapp-9985ccc88-vtwsm 1/1 Running 0 11d </span></code></pre> </div> <p>3 replicas running (matches <code>minReplicas: 3</code> in values-production.yaml).<br> The pod naming convention shows the ArgoCD release name (<code>myapp-production-myapp-production-use1</code>) and the Helm chart (<code>myapp</code>).</p> <h2> Argo Rollouts — Canary Controller Active </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get rollouts <span class="nt">-n</span> production <span class="go"> NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE myapp-production-myapp-production-use1-myapp 3 3 3 3 11d </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get hpa <span class="nt">-n</span> production <span class="go"> NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS </span><span class="gp">myapp-production-myapp-production-use1-myapp Rollout/myapp-production-myapp-production-use1-myapp &lt;unk&gt;</span>/60% 3 10 3 </code></pre> </div> <p>The HPA targets the <code>Rollout</code> resource (not a <code>Deployment</code>) — this is the correct configuration for Argo Rollouts. <code>&lt;unknown&gt;/60%</code> means the metrics-server hasn't collected enough data yet; the HPA is still functional and will scale when CPU crosses 60%.</p> <h2> Kyverno — Admission Policies Enforced </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get clusterpolicies <span class="go"> NAME ADMISSION BACKGROUND VALIDATE ACTION READY AGE disallow-latest-tag true true Enforce True 34h require-non-root true true Enforce True 34h require-readonly-filesystem true true Enforce True 34h require-resource-limits true true Enforce True 34h restrict-image-registry true true Enforce True 34h </span></code></pre> </div> <p>5 cluster-wide policies active, all in <code>Enforce</code> mode (not <code>Audit</code>) — violations are blocked, not just logged. <code>Ready: True</code> means each policy's webhook is registered and functioning.</p> <h2> Falco — Runtime Security DaemonSet Running </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get pods <span class="nt">-n</span> falco <span class="go"> NAME READY STATUS RESTARTS falco-myapp-production-use1-5d6dr 1/1 Running 29 falco-myapp-production-use1-jql5r 1/1 Running 0 falco-myapp-production-use1-pbhdr 1/1 Running 0 falco-myapp-production-use1-sjlkh 1/1 Running 0 falco-myapp-production-use1-falcosidekick-7c56844569-h4vvk 1/1 Running 1 falco-myapp-production-use1-falcosidekick-7c56844569-qcnjh 1/1 Running 2 </span></code></pre> </div> <p>Falco DaemonSet: one pod per node (4 nodes = 4 Falco pods). All <code>Running</code>. The 29 restarts on one pod is from the initial eBPF driver loading — normal behaviour on kernel version changes.</p> <h2> External Secrets — Synced from AWS Secrets Manager </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get externalsecret <span class="nt">-n</span> production <span class="go"> NAME STORE REFRESH STATUS READY myapp-production-myapp-production-use1-myapp-secrets myapp-production-myapp-production-use1- 1h SecretSynced True </span></code></pre> </div> <p><code>SecretSynced: True</code> — ESO has successfully fetched <code>production/myapp/db-password</code> from AWS Secrets Manager and created the Kubernetes Secret. The IRSA authentication chain (OIDC token → STS → Secrets Manager) is working correctly.</p> <h2> Velero — Scheduled Backups Running </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kubectl <span class="nt">--context</span> prod-use1 get schedules <span class="nt">-n</span> velero <span class="go"> NAME STATUS SCHEDULE LASTBACKUP AGE velero-myapp-production-use1-daily-backup Enabled 0 2 * * * 16h 34h </span></code></pre> </div> <p>Daily backup schedule active. Last backup ran 16 hours ago (2 AM UTC). Backups stored in S3.</p> <h2> ECR — Signed Images in Registry </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>aws ecr describe-images <span class="nt">--repository-name</span> myapp <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> myapp-mgmt <span class="go"> IMAGE TAG PUSHED AT SIZE sha-f72053d0d5fb765bc08d8b5a8374119655997784 2026-02-22T17:37:27Z 48.5 MB sha256-f01790daf982...956be0c.sig 2026-02-22T17:40:48Z 499 B ← Cosign signature </span></code></pre> </div> <p>Two OCI artifacts per image push:</p> <ol> <li>The application image tagged <code>sha-&lt;full-git-sha&gt;</code> (48.5 MB)</li> <li>The Cosign signature artifact tagged <code>sha256-&lt;digest&gt;.sig</code> (499 bytes) — this is the cryptographic attestation stored in ECR, verified by Kyverno at admission time</li> </ol> <h2> AWS GuardDuty — Threat Detection Active </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>aws guardduty list-detectors + get-detector <span class="o">(</span>production account<span class="o">)</span> <span class="go"> Status: ENABLED DataSources: - S3 Logs: ENABLED - Kubernetes Audit: ENABLED - Malware Protection (EBS): ENABLED </span><span class="gp">$</span><span class="w"> </span>aws guardduty list-detectors <span class="o">(</span>staging account<span class="o">)</span> <span class="go"> Status: ENABLED </span></code></pre> </div> <p>GuardDuty enabled in both production and staging accounts with EKS audit log monitoring. Any <code>kubectl exec</code> into production pods, unusual API call patterns, or crypto mining activity will generate findings.</p> <h2> AWS CloudWatch — Log Groups from Fluent Bit </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>aws logs describe-log-groups <span class="nt">--log-group-name-prefix</span> <span class="s2">"/eks/"</span> <span class="nt">--region</span> us-east-1 <span class="o">(</span>production account<span class="o">)</span> <span class="go"> /eks/myapp-production-use1 /eks/myapp-production-use1/argocd /eks/myapp-production-use1/external-secrets /eks/myapp-production-use1/falco /eks/myapp-production-use1/karpenter /eks/myapp-production-use1/kyverno /eks/myapp-production-use1/logging /eks/myapp-production-use1/monitoring /eks/myapp-production-use1/production /eks/myapp-production-use1/velero /eks/myapp-production-use1/argo-rollouts </span></code></pre> </div> <p>One CloudWatch Log Group per Kubernetes namespace, all prefixed <code>/eks/myapp-production-use1/</code>. Fluent Bit DaemonSet ships logs from every container in every namespace to the corresponding log group.</p> <h2> Live Health Check — Public Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">$</span><span class="w"> </span><span class="err">curl</span><span class="w"> </span><span class="err">-s</span><span class="w"> </span><span class="err">https://www.matthewoladipupo.dev/health</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">python</span><span class="mi">3</span><span class="w"> </span><span class="err">-m</span><span class="w"> </span><span class="err">json.tool</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"healthy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Production application serving HTTPS traffic. Route53 latency routing directs users to the nearest healthy region. AWS WAF WebACL inspects every request before it reaches the ALB.</p> <h2> Grafana — Public Dashboard </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>URL: https://grafana.matthewoladipupo.dev Username: admin </code></pre> </div> <p>Grafana deployed on <code>myapp-production-use1</code> with:</p> <ul> <li>50 GiB Prometheus TSDB (15-day retention)</li> <li>10 GiB Grafana persistent volume</li> <li>ACM wildcard TLS certificate (<code>*.matthewoladipupo.dev</code>)</li> <li>ALB internet-facing ingress provisioned by AWS Load Balancer Controller</li> </ul> <p><em>Add your Grafana dashboard screenshots here</em></p> <h2> Summary Table — Component Health at Time of Writing </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Clusters</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>ArgoCD hub</td> <td>prod-use1</td> <td>✅ Running, all 6 clusters registered</td> </tr> <tr> <td>Kyverno policies</td> <td>All 6</td> <td>✅ 5 ClusterPolicies, Enforce mode, Ready</td> </tr> <tr> <td>Falco DaemonSet</td> <td>All 6</td> <td>✅ One pod per node, all Running</td> </tr> <tr> <td>Fluent Bit DaemonSet</td> <td>All 6</td> <td>✅ Synced/Healthy, CloudWatch log groups created</td> </tr> <tr> <td>External Secrets</td> <td>All 6</td> <td>✅ SecretSynced: True</td> </tr> <tr> <td>Velero schedules</td> <td>All 6</td> <td>✅ Daily backup at 02:00 UTC, last run 16h ago</td> </tr> <tr> <td>Karpenter</td> <td>prod-use1, prod-usw2</td> <td>✅ Synced/Healthy</td> </tr> <tr> <td>Argo Rollouts</td> <td>prod-use1, prod-usw2</td> <td>✅ Synced/Healthy</td> </tr> <tr> <td>kube-prometheus-stack</td> <td>staging+prod (4)</td> <td>✅ Running (OutOfSync is known false positive)</td> </tr> <tr> <td>GuardDuty</td> <td>prod + staging</td> <td>✅ ENABLED with EKS audit logs</td> </tr> <tr> <td>ECR images</td> <td>mgmt account</td> <td>✅ Immutable tags, Cosign signatures present</td> </tr> <tr> <td>DNS + TLS</td> <td>Route53 + ACM</td> <td>✅ <code>www.matthewoladipupo.dev</code> → healthy</td> </tr> </tbody> </table></div> <p><em>All data captured live on 2026-03-08 from the running AWS infrastructure.</em></p> aws cicd devops kubernetes Production DevSecOps Pipeline — The Complete Day-2 Operations Runbook Matthew Thu, 28 May 2026 18:50:54 +0000 https://dev.to/matthewdipo/production-devsecops-pipeline-the-complete-day-2-operations-runbook-5bj2 https://dev.to/matthewdipo/production-devsecops-pipeline-the-complete-day-2-operations-runbook-5bj2 <h2> DevSecOps Pipeline — Completion Runbook </h2> <p>All code is written and pushed to GitHub. This runbook covers the remaining<br> operational steps: Terraform applies, GitOps ARN updates, and ArgoCD deployment.</p> <h2> Prerequisites </h2> <p>Install these tools if not already present:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># AWS CLI v2</span> winget <span class="nb">install </span>Amazon.AWSCLI <span class="c"># Terraform 1.6+</span> winget <span class="nb">install </span>HashiCorp.Terraform <span class="c"># Terragrunt</span> <span class="c"># Download from https://github.com/gruntwork-io/terragrunt/releases</span> <span class="c"># Place in C:\Windows\System32\ or add to PATH</span> <span class="c"># kubectl</span> winget <span class="nb">install </span>Kubernetes.kubectl <span class="c"># ArgoCD CLI</span> winget <span class="nb">install </span>argoproj.argocd </code></pre> </div> <h2> AWS Profile Setup </h2> <p>The root <code>terragrunt.hcl</code> uses profiles named <code>myapp-{env}-{region_alias}</code>.<br> Configure them in <code>~/.aws/config</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[profile myapp-production-use1]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::591120834781:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> <span class="nn">[profile myapp-production-usw2]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::591120834781:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> <span class="nn">[profile myapp-staging-use1]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::690687753178:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> <span class="nn">[profile myapp-staging-usw2]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::690687753178:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> <span class="nn">[profile myapp-dev-use1]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::557702566877:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> <span class="nn">[profile myapp-dev-usw2]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">role_arn</span> <span class="p">=</span> <span class="s">arn:aws:iam::557702566877:role/AdministratorAccess</span> <span class="py">source_profile</span> <span class="p">=</span> <span class="s">default</span> </code></pre> </div> <h2> PHASE 1 — Terraform Applies </h2> <p>Work from the <code>myapp-infra/</code> directory. Run in the order shown — capture outputs<br> for updating GitOps files in Phase 2.</p> <h3> 1.1 WAF (production + staging) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Production us-east-1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-east-1/waf <span class="c"># Output → webacl_arn (copy this value)</span> <span class="c"># Production us-west-2</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-west-2/waf <span class="c"># Output → webacl_arn (copy this value)</span> <span class="c"># Staging (no GitOps ARN needed, but good to have)</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-east-1/waf terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-west-2/waf </code></pre> </div> <h3> 1.2 GuardDuty (all regions — no outputs needed) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-east-1/guardduty terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-west-2/guardduty terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-east-1/guardduty terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-west-2/guardduty </code></pre> </div> <blockquote> <p>GuardDuty has no GitOps dependency. Alerts appear in the AWS console and<br> optionally in CloudWatch.</p> </blockquote> <h3> 1.3 ESO IRSA for Staging </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Staging us-east-1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-east-1/eso-irsa <span class="c"># Output → role_arn (copy → used in environments/staging/applicationset.yaml)</span> <span class="c"># Staging us-west-2</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-west-2/eso-irsa <span class="c"># Output → role_arn (copy → used in environments/staging/applicationset.yaml)</span> </code></pre> </div> <blockquote> <p>NOTE: The ESO operator ApplicationSet (<code>infrastructure/eso/applicationset.yaml</code>)<br> already includes staging clusters. Once ESO is running on staging and the<br> ExternalSecret IRSA role is set, ExternalSecrets will sync automatically.</p> </blockquote> <h3> 1.4 Fluent Bit IRSA (all 6 clusters) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-east-1/fluent-bit-irsa <span class="c"># → role_arn for myapp-production-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-west-2/fluent-bit-irsa <span class="c"># → role_arn for myapp-production-usw2</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-east-1/fluent-bit-irsa <span class="c"># → role_arn for myapp-staging-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-west-2/fluent-bit-irsa <span class="c"># → role_arn for myapp-staging-usw2</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/dev/us-east-1/fluent-bit-irsa <span class="c"># → role_arn for myapp-dev-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/dev/us-west-2/fluent-bit-irsa <span class="c"># → role_arn for myapp-dev-usw2</span> </code></pre> </div> <h3> 1.5 Karpenter (production only) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-east-1/karpenter <span class="c"># Outputs:</span> <span class="c"># controller_role_arn → for karpenter applicationset.yaml</span> <span class="c"># node_role_arn → for verification (name = myapp-production-use1-karpenter-node)</span> <span class="c"># node_instance_profile → for verification</span> <span class="c"># interruption_queue_name → should be "myapp-production-use1-karpenter"</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-west-2/karpenter <span class="c"># Outputs same structure for usw2</span> </code></pre> </div> <blockquote> <p>The <code>nodeRoleName</code> values in <code>karpenter/nodepool-applicationset.yaml</code> are<br> pre-set to <code>myapp-production-use1-karpenter-node</code> and <code>myapp-production-usw2-karpenter-node</code>.<br> These match what Terraform creates so no update needed there.</p> </blockquote> <h3> 1.6 Velero (all 6 clusters) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Production</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-east-1/velero <span class="c"># → role_arn for myapp-production-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/production/us-west-2/velero <span class="c"># → role_arn for myapp-production-usw2</span> <span class="c"># Staging</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-east-1/velero <span class="c"># → role_arn for myapp-staging-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/staging/us-west-2/velero <span class="c"># → role_arn for myapp-staging-usw2</span> <span class="c"># Dev</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/dev/us-east-1/velero <span class="c"># → role_arn for myapp-dev-use1</span> terragrunt apply <span class="nt">--terragrunt-working-dir</span> live/dev/us-west-2/velero <span class="c"># → role_arn for myapp-dev-usw2</span> </code></pre> </div> <h2> PHASE 2 — Update GitOps ARNs </h2> <p>After collecting all outputs from Phase 1, update the GitOps repo<br> (<code>myapp-gitops/</code>) and push.</p> <h3> 2.1 Production WAF ARNs </h3> <p>Edit <code>environments/production/applicationset.yaml</code> — replace <code>"PENDING"</code> with<br> real WAF ACL ARNs from Step 1.1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-use1</span> <span class="s">...</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-east-1:591120834781:regional/webacl/myapp-production-use1-waf/XXXXXXXX"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-usw2</span> <span class="s">...</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-west-2:591120834781:regional/webacl/myapp-production-usw2-waf/XXXXXXXX"</span> </code></pre> </div> <h3> 2.2 Staging ESO IRSA ARNs </h3> <p>Edit <code>environments/staging/applicationset.yaml</code> — replace <code>"PENDING"</code> with<br> role ARNs from Step 1.3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-use1</span> <span class="s">...</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-use1-eso"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-usw2</span> <span class="s">...</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-usw2-eso"</span> </code></pre> </div> <h3> 2.3 Fluent Bit IRSA ARNs </h3> <p>Edit <code>infrastructure/logging/applicationset.yaml</code> — replace all 6 <code>"PENDING"</code> values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-use1-fluent-bit"</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-usw2-fluent-bit"</span> <span class="pi">-</span> <span class="na">cluster: myapp-staging-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-use1-fluent-bit"</span> <span class="pi">-</span> <span class="na">cluster: myapp-staging-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-usw2-fluent-bit"</span> <span class="pi">-</span> <span class="na">cluster: myapp-dev-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::557702566877:role/myapp-dev-use1-fluent-bit"</span> <span class="pi">-</span> <span class="na">cluster: myapp-dev-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::557702566877:role/myapp-dev-usw2-fluent-bit"</span> </code></pre> </div> <blockquote> <p>TIP: Role names follow the pattern <code>{cluster_name}-fluent-bit</code>. Verify with<br> <code>terragrunt output role_arn</code> in each fluent-bit-irsa directory.</p> </blockquote> <h3> 2.4 Karpenter Controller Role ARNs </h3> <p>Edit <code>infrastructure/karpenter/applicationset.yaml</code> — replace 2 <code>"PENDING"</code> values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-use1 controllerRole</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-use1-karpenter"</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-usw2 controllerRole</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-usw2-karpenter"</span> </code></pre> </div> <h3> 2.5 Velero Role ARNs </h3> <p>Edit <code>infrastructure/velero/applicationset.yaml</code> — replace all 6 <code>"PENDING"</code> values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-use1-velero"</span> <span class="pi">-</span> <span class="na">cluster: myapp-production-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-usw2-velero"</span> <span class="pi">-</span> <span class="na">cluster: myapp-staging-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-use1-velero"</span> <span class="pi">-</span> <span class="na">cluster: myapp-staging-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::690687753178:role/myapp-staging-usw2-velero"</span> <span class="pi">-</span> <span class="na">cluster: myapp-dev-use1 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::557702566877:role/myapp-dev-use1-velero"</span> <span class="pi">-</span> <span class="na">cluster: myapp-dev-usw2 roleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::557702566877:role/myapp-dev-usw2-velero"</span> </code></pre> </div> <h3> 2.6 Slack Webhooks + Grafana Password </h3> <p>Edit <code>infrastructure/monitoring/prometheus-values.yaml</code>:</p> <ul> <li>Replace both <code>https://hooks.slack.com/services/CHANGE_ME</code> with real Slack incoming webhook URLs</li> <li>Replace <code>change-me-grafana</code> with a real password (or use an ExternalSecret)</li> </ul> <h3> 2.7 Commit + Push GitOps changes </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>myapp-gitops git add environments/ infrastructure/ git commit <span class="nt">-m</span> <span class="s2">"chore: fill in real ARNs from terraform outputs"</span> git push origin HEAD:main </code></pre> </div> <h3> 2.8 Create staging Secrets Manager secret </h3> <p>Run this once to seed the staging ExternalSecret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-staging-use1 aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> staging/myapp/db-password <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"change-me-staging"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-staging-usw2 aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> staging/myapp/db-password <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"change-me-staging"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-west-2 </code></pre> </div> <h2> PHASE 3 — ArgoCD Setup </h2> <h3> 3.1 Bootstrap ArgoCD (App of Apps) </h3> <p>The <code>argocd/</code> directory in <code>myapp-gitops</code> now contains the AppProject and a<br> bootstrap Application. Apply the bootstrap once — after that ArgoCD manages<br> itself and will also pick up the AppProject automatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Point kubectl at production cluster (where ArgoCD runs)</span> kubectl config use-context myapp-production-use1 <span class="nb">cd </span>myapp-gitops <span class="c"># One-time bootstrap — creates the self-managing Application</span> kubectl apply <span class="nt">-f</span> argocd/bootstrap.yaml <span class="nt">-n</span> argocd <span class="c"># ArgoCD will now sync argocd/project-production.yaml automatically.</span> <span class="c"># Watch until it's healthy:</span> argocd app <span class="nb">wait </span>bootstrap <span class="nt">--health</span> </code></pre> </div> <blockquote> <p>The <code>argocd/project-production.yaml</code> AppProject already includes every<br> namespace and source repo needed by all components. No <code>kubectl patch</code> needed.</p> </blockquote> <h3> 3.2 Apply new ApplicationSets to ArgoCD </h3> <p>After the bootstrap Application syncs (it only manages the <code>argocd/</code> directory),<br> apply the infrastructure ApplicationSets manually once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>myapp-gitops kubectl apply <span class="nt">-f</span> infrastructure/eso/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/monitoring/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/monitoring/alert-rules-applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/logging/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/karpenter/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/karpenter/nodepool-applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/velero/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/falco/applicationset.yaml kubectl apply <span class="nt">-f</span> infrastructure/argo-rollouts/applicationset.yaml </code></pre> </div> <blockquote> <p>After this, ArgoCD self-manages all ApplicationSets via the automated sync<br> on the generated Applications.</p> </blockquote> <h2> PHASE 4 — ArgoCD Sync Order (Production) </h2> <p>Sync in this exact order to respect CRD dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Prometheus stack (creates CRDs for PrometheusRule, ServiceMonitor, etc.)</span> argocd app <span class="nb">sync </span>prometheus-myapp-production-use1 prometheus-myapp-production-usw2 argocd app <span class="nb">wait </span>prometheus-myapp-production-use1 <span class="nt">--health</span> argocd app <span class="nb">wait </span>prometheus-myapp-production-usw2 <span class="nt">--health</span> <span class="c"># Step 2: Alert rules (needs Prometheus CRDs)</span> argocd app <span class="nb">sync </span>alert-rules-myapp-production-use1 alert-rules-myapp-production-usw2 <span class="c"># Step 3: Parallel infra components (no inter-dependency)</span> argocd app <span class="nb">sync</span> <span class="se">\</span> fluent-bit-myapp-production-use1 fluent-bit-myapp-production-usw2 <span class="se">\</span> velero-myapp-production-use1 velero-myapp-production-usw2 <span class="se">\</span> falco-myapp-production-use1 falco-myapp-production-usw2 <span class="c"># Step 4: Karpenter controller (needs ECR access to pull image from public.ecr.aws)</span> argocd app <span class="nb">sync </span>karpenter-myapp-production-use1 karpenter-myapp-production-usw2 argocd app <span class="nb">wait </span>karpenter-myapp-production-use1 <span class="nt">--health</span> <span class="c"># Step 5: Karpenter NodePools (needs Karpenter CRDs installed by Step 4)</span> argocd app <span class="nb">sync </span>karpenter-nodepool-myapp-production-use1 karpenter-nodepool-myapp-production-usw2 <span class="c"># Step 6: Argo Rollouts controller</span> argocd app <span class="nb">sync </span>argo-rollouts-myapp-production-use1 argo-rollouts-myapp-production-usw2 argocd app <span class="nb">wait </span>argo-rollouts-myapp-production-use1 <span class="nt">--health</span> <span class="c"># Step 7: App (uses Rollout CR — needs argo-rollouts controller running)</span> argocd app <span class="nb">sync </span>myapp-production-myapp-production-use1 myapp-production-myapp-production-usw2 </code></pre> </div> <h3> Staging sync (can run in parallel with production steps 3+) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app <span class="nb">sync</span> <span class="se">\</span> eso-myapp-staging-use1 eso-myapp-staging-usw2 <span class="se">\</span> fluent-bit-myapp-staging-use1 fluent-bit-myapp-staging-usw2 <span class="se">\</span> velero-myapp-staging-use1 velero-myapp-staging-usw2 <span class="se">\</span> falco-myapp-staging-use1 falco-myapp-staging-usw2 <span class="se">\</span> prometheus-myapp-staging-use1 prometheus-myapp-staging-usw2 <span class="c"># After staging ESO is healthy, ExternalSecrets will sync automatically</span> argocd app <span class="nb">sync </span>myapp-staging-myapp-staging-use1 myapp-staging-myapp-staging-usw2 </code></pre> </div> <h2> PHASE 5 — Verification </h2> <h3> Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> monitoring <span class="nt">--context</span> myapp-production-use1 kubectl get prometheusrule <span class="nt">-n</span> monitoring <span class="nt">--context</span> myapp-production-use1 kubectl get alertmanager <span class="nt">-n</span> monitoring <span class="nt">--context</span> myapp-production-use1 <span class="c"># Access Grafana: kubectl port-forward svc/kube-prometheus-stack-grafana 3000:80 -n monitoring</span> </code></pre> </div> <h3> Logging </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> logging <span class="nt">--context</span> myapp-production-use1 <span class="c"># Verify log groups were created:</span> <span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-production-use1 aws logs describe-log-groups <span class="se">\</span> <span class="nt">--log-group-name-prefix</span> /eks/myapp-production-use1 <span class="nt">--region</span> us-east-1 </code></pre> </div> <h3> Karpenter </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> karpenter <span class="nt">--context</span> myapp-production-use1 kubectl get nodepool <span class="nt">--context</span> myapp-production-use1 kubectl get ec2nodeclass <span class="nt">--context</span> myapp-production-use1 <span class="c"># Trigger a scale test:</span> kubectl scale deploy/stress <span class="nt">--replicas</span><span class="o">=</span>50 <span class="nt">-n</span> default <span class="nt">--context</span> myapp-production-use1 kubectl get nodes <span class="nt">-w</span> <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <h3> Velero </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> velero <span class="nt">--context</span> myapp-production-use1 kubectl get schedule <span class="nt">-n</span> velero <span class="nt">--context</span> myapp-production-use1 <span class="c"># Trigger manual backup:</span> velero backup create manual-test <span class="nt">--context</span> myapp-production-use1 velero backup describe manual-test <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <h3> Falco </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> falco <span class="nt">--context</span> myapp-production-use1 <span class="c"># Check CloudWatch for events:</span> <span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-production-use1 aws logs describe-log-groups <span class="se">\</span> <span class="nt">--log-group-name-prefix</span> /falco <span class="nt">--region</span> us-east-1 </code></pre> </div> <h3> Argo Rollouts (canary deploy) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get rollout <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 kubectl argo rollouts get rollout myapp-production-use1-myapp <span class="nt">-n</span> production <span class="se">\</span> <span class="nt">--context</span> myapp-production-use1 <span class="nt">--watch</span> </code></pre> </div> <h3> ESO Staging </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get externalsecret <span class="nt">-n</span> staging <span class="nt">--context</span> myapp-staging-use1 kubectl describe externalsecret myapp-production-use1-myapp-secrets <span class="nt">-n</span> staging <span class="se">\</span> <span class="nt">--context</span> myapp-staging-use1 </code></pre> </div> <h3> WAF </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-production-use1 aws wafv2 list-web-acls <span class="se">\</span> <span class="nt">--scope</span> REGIONAL <span class="nt">--region</span> us-east-1 | <span class="nb">grep </span>myapp </code></pre> </div> <h3> GuardDuty </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-production-use1 aws guardduty list-detectors <span class="nt">--region</span> us-east-1 <span class="nv">AWS_PROFILE</span><span class="o">=</span>myapp-production-usw2 aws guardduty list-detectors <span class="nt">--region</span> us-west-2 </code></pre> </div> <h2> Troubleshooting Notes </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Issue</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Karpenter fails to pull image</td> <td>Ensure the node IAM role has ECR pull-through cache configured or use <code>public.ecr.aws</code> directly. Karpenter controller image is on <code>public.ecr.aws/karpenter/karpenter</code>.</td> </tr> <tr> <td>Falco <code>modern_ebpf</code> not supported</td> <td>Some EKS AMIs/kernel versions don't support eBPF. Fall back to <code>driver.kind: ebpf</code> or <code>driver.kind: module</code> in <code>infrastructure/falco/values.yaml</code>.</td> </tr> <tr> <td>Velero backup fails</td> <td>Ensure S3 bucket lifecycle rule and encryption config applied. Check IRSA trust policy <code>sub</code> matches <code>system:serviceaccount:velero:velero</code>.</td> </tr> <tr> <td>Alert rules not picked up</td> <td>The PrometheusRule must have label <code>release: kube-prometheus-stack</code> (already set in <code>alert-rules.yaml</code>). Verify with <code>kubectl get prometheusrule -n monitoring -o yaml</code>.</td> </tr> <tr> <td>Rollout stuck at 20%</td> <td>Check AnalysisTemplate — if <code>myapp_http_requests_total</code> metric doesn't exist yet (app not instrumented), the analysis will fail. Set <code>failureLimit: 3</code> or temporarily disable analysis by removing the <code>analysis</code> step from the canary steps.</td> </tr> <tr> <td>Karpenter NodePool not scheduling</td> <td>Verify subnet and SG tags: <code>aws ec2 describe-subnets --filters "Name=tag:karpenter.sh/discovery,Values=myapp-production-use1"</code>.</td> </tr> </tbody> </table></div> <h2> Day-2 Operations Runbook </h2> <p><strong>For:</strong> Anyone operating this pipeline after initial setup is complete<br> <strong>Live system:</strong> <code>https://api.matthewoladipupo.dev/health</code></p> <h2> Quick Reference </h2> <h3> URLs and Credentials </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>URL</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Application</td> <td><code>https://api.matthewoladipupo.dev/health</code></td> <td>Public</td> </tr> <tr> <td>ArgoCD UI</td> <td><code>http://a0c3c1ea43b294c4d8f5c2a7c514f6f2-1678928976.us-east-1.elb.amazonaws.com</code></td> <td>admin / see Secrets Manager</td> </tr> <tr> <td>Grafana</td> <td><code>https://grafana.matthewoladipupo.dev</code></td> <td>admin / see Secrets Manager</td> </tr> <tr> <td>AWS SSO Portal</td> <td><code>https://d-9a6757fb3c.awsapps.com/start</code></td> <td>IAM Identity Center</td> </tr> </tbody> </table></div> <h3> Cluster → Profile Map </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cluster</th> <th>kubectl context</th> <th>AWS Profile</th> <th>Endpoint</th> </tr> </thead> <tbody> <tr> <td><code>myapp-production-use1</code></td> <td><code>myapp-production-use1</code></td> <td><code>myapp-prod-use1</code></td> <td><strong>private</strong></td> </tr> <tr> <td><code>myapp-production-usw2</code></td> <td><code>myapp-production-usw2</code></td> <td><code>myapp-prod-usw2</code></td> <td><strong>private</strong></td> </tr> <tr> <td><code>myapp-staging-use1</code></td> <td><code>myapp-staging-use1</code></td> <td><code>myapp-staging-use1</code></td> <td><strong>private</strong></td> </tr> <tr> <td><code>myapp-staging-usw2</code></td> <td><code>myapp-staging-usw2</code></td> <td><code>myapp-staging-usw2</code></td> <td><strong>private</strong></td> </tr> <tr> <td><code>myapp-dev-use1</code></td> <td><code>myapp-dev-use1</code></td> <td><code>myapp-dev-use1</code></td> <td>public</td> </tr> <tr> <td><code>myapp-dev-usw2</code></td> <td><code>myapp-dev-usw2</code></td> <td><code>myapp-dev-usw2</code></td> <td>public</td> </tr> </tbody> </table></div> <h2> OPS-1: Start of Session </h2> <p><strong>Run every time you open a new terminal.</strong> SSO tokens last 8 hours.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Authenticate</span> aws sso login <span class="nt">--sso-session</span> admin <span class="nt">--no-browser</span> <span class="c"># → browser opens → click Allow → wait for "Successfully logged in"</span> <span class="c"># 2. Verify</span> aws sts get-caller-identity <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># → should return Account: 591120834781</span> <span class="c"># 3. Quick health check</span> curl https://api.matthewoladipupo.dev/health <span class="c"># → {"status":"healthy","region":"us-east-1"}</span> </code></pre> </div> <blockquote> <p>If you see <code>Token has expired and refresh failed</code> at any point, re-run step 1.</p> </blockquote> <h2> OPS-2: Accessing Private Clusters (Production + Staging) </h2> <p>Production and staging clusters have <code>endpointPublicAccess: false</code>. You must temporarily enable public access, do your work, then lock it back. <strong>Never leave production with a public endpoint.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable (wait ~3 minutes after running this)</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span>,publicAccessCidrs<span class="o">=</span>0.0.0.0/0 <span class="c"># Confirm it's ready</span> aws eks describe-cluster <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'cluster.resourcesVpcConfig.endpointPublicAccess'</span> <span class="c"># Must return: true</span> <span class="c"># --- Do your kubectl work here ---</span> <span class="c"># Lock back immediately after</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">false</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p>Replace <code>myapp-production-use1</code> / <code>myapp-prod-use1</code> / <code>us-east-1</code> with the appropriate values for other private clusters.</p> <h2> OPS-3: Standard Deployment </h2> <p>Normal deployments are fully automated — zero manual steps required:</p> <ol> <li>Developer pushes to <code>main</code> branch of <code>MatthewDipo/myapp</code> </li> <li>GitHub Actions: test → Trivy scan → build → push ECR → Cosign sign → update gitops values</li> <li>ArgoCD detects gitops change within 3 minutes → syncs</li> <li>In production: Argo Rollout starts canary (20% traffic for 5 minutes → analysis → 100%)</li> </ol> <p><strong>Monitor progress:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Watch rollout steps (enable public endpoint first)</span> kubectl get rollouts <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="nt">-w</span> <span class="c"># Detailed view (requires kubectl-argo-rollouts plugin)</span> kubectl argo rollouts get rollout myapp <span class="nt">-n</span> production <span class="se">\</span> <span class="nt">--context</span> myapp-production-use1 <span class="nt">--watch</span> </code></pre> </div> <h2> OPS-4: Promote or Abort a Canary </h2> <p><strong>Promote immediately</strong> (skip the 5-minute pause):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl argo rollouts promote myapp <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <p><strong>Abort</strong> (shift all traffic back to stable version instantly):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl argo rollouts abort myapp <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># After abort the rollout shows Degraded — retry to return to Healthy</span> kubectl argo rollouts retry rollout myapp <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <h2> OPS-5: Roll Back a Deployment </h2> <p><strong>Option A — GitOps revert (preferred, keeps git history clean):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /path/to/myapp-gitops git revert HEAD <span class="nt">--no-edit</span> git push origin main <span class="c"># ArgoCD auto-syncs the revert within 3 minutes</span> </code></pre> </div> <p><strong>Option B — ArgoCD rollback to a previous revision:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app <span class="nb">history </span>myapp-production-myapp-production-use1 argocd app rollback myapp-production-myapp-production-use1 &lt;revision-number&gt; </code></pre> </div> <p><strong>Option C — Emergency direct image update (bypasses GitOps, use only in outage):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get previous image tag from ECR</span> aws ecr describe-images <span class="se">\</span> <span class="nt">--repository-name</span> myapp <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'sort_by(imageDetails,&amp;imagePushedAt)[-2].imageTags'</span> <span class="se">\</span> <span class="nt">--output</span> json <span class="c"># Force update the rollout</span> kubectl argo rollouts <span class="nb">set </span>image myapp <span class="se">\</span> <span class="nv">myapp</span><span class="o">=</span>206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-&lt;previous-sha&gt; <span class="se">\</span> <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># After incident: update values-production.yaml in gitops to match, then push</span> </code></pre> </div> <h2> OPS-6: Rotate a Secret </h2> <p>The External Secrets Operator (ESO) syncs from AWS Secrets Manager on a 1-hour cycle.</p> <p><strong>Step 1 — Update value in Secrets Manager:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager put-secret-value <span class="se">\</span> <span class="nt">--secret-id</span> production/myapp/db-password <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"new-value-here"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 </code></pre> </div> <p><strong>Step 2 — Force immediate ESO refresh:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable public endpoint first (OPS-2)</span> kubectl annotate externalsecret myapp-db-password <span class="se">\</span> force-sync<span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nt">-n</span> production <span class="se">\</span> <span class="nt">--context</span> myapp-production-use1 <span class="nt">--overwrite</span> <span class="c"># Verify</span> kubectl get externalsecret myapp-db-password <span class="nt">-n</span> production <span class="se">\</span> <span class="nt">--context</span> myapp-production-use1 <span class="c"># STATUS: SecretSynced</span> </code></pre> </div> <p><strong>Step 3 — Restart pods to pick up new value:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl argo rollouts restart myapp <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <h2> OPS-7: Incident Response </h2> <h3> Falco Security Alert </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Identify what triggered the alert</span> kubectl logs <span class="nt">-n</span> falco daemonset/falco <span class="nt">--context</span> myapp-production-use1 <span class="se">\</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"Warning|Critical"</span> | <span class="nb">tail</span> <span class="nt">-20</span> <span class="c"># 2. Inspect the affected pod</span> kubectl describe pod &lt;pod-name&gt; <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 kubectl logs &lt;pod-name&gt; <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="nt">--tail</span><span class="o">=</span>100 <span class="c"># 3. Contain if confirmed malicious — delete pod (Rollout replaces with clean copy)</span> kubectl delete pod &lt;pod-name&gt; <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># 4. Preserve logs before deletion</span> kubectl logs &lt;pod-name&gt; <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="se">\</span> <span class="o">&gt;</span> /tmp/incident-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d-%H%M%S<span class="si">)</span>.log <span class="c"># 5. Check GuardDuty for correlated findings</span> aws guardduty list-findings <span class="se">\</span> <span class="nt">--detector-id</span> <span class="si">$(</span>aws guardduty list-detectors <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'DetectorIds[0]'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> myapp-prod-use1 </code></pre> </div> <h3> Kyverno Blocked a Pod </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># See the rejection reason</span> kubectl describe pod &lt;pod-name&gt; <span class="nt">-n</span> &lt;namespace&gt; <span class="nt">--context</span> myapp-production-use1 <span class="c"># Look for: "admission webhook" in Events</span> <span class="c"># List policy violations</span> kubectl get policyreport <span class="nt">-n</span> &lt;namespace&gt; <span class="nt">--context</span> myapp-production-use1 </code></pre> </div> <p>Common violations and fixes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Policy</th> <th>Violation</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td><code>block-privileged</code></td> <td> <code>privileged: true</code> in spec</td> <td>Remove the privileged flag</td> </tr> <tr> <td><code>require-non-root</code></td> <td>Running as root</td> <td>Add <code>runAsNonRoot: true</code>, <code>runAsUser: 1000</code> </td> </tr> <tr> <td><code>block-host-path</code></td> <td>hostPath volume</td> <td>Replace with PVC</td> </tr> <tr> <td><code>require-resource-limits</code></td> <td>No CPU/memory limits</td> <td>Add <code>resources.limits</code> </td> </tr> <tr> <td><code>verify-image-signature</code></td> <td>Image not Cosign-signed</td> <td>Must go through CI/CD pipeline</td> </tr> </tbody> </table></div> <h3> Application Down </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check pods</span> kubectl get pods <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># Check pod logs</span> kubectl logs <span class="nt">-n</span> production <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>myapp <span class="nt">--context</span> myapp-production-use1 <span class="nt">--tail</span><span class="o">=</span>50 <span class="c"># Check rollout</span> kubectl get rollouts <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># Check HPA — is it maxed out?</span> kubectl get hpa <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 <span class="c"># Check if Karpenter is provisioning nodes</span> kubectl get nodes <span class="nt">--context</span> myapp-production-use1 <span class="nt">-w</span> </code></pre> </div> <h2> OPS-8: Routine Health Check </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Application</span> curl https://api.matthewoladipupo.dev/health <span class="c"># ArgoCD — show only non-Synced apps (empty = all good)</span> argocd app list | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">"Synced.*Healthy"</span> <span class="c"># Enable public endpoint, then:</span> kubectl get nodes <span class="nt">--context</span> myapp-production-use1 kubectl get pods <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 kubectl get hpa <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 kubectl get externalsecret <span class="nt">-n</span> production <span class="nt">--context</span> myapp-production-use1 kubectl get schedule <span class="nt">-n</span> velero <span class="nt">--context</span> myapp-production-use1 <span class="c"># Lock endpoint back</span> </code></pre> </div> <h2> OPS-9: Restore from Velero Backup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable public endpoint first (OPS-2), then:</span> <span class="c"># List available backups</span> kubectl get backups <span class="nt">-n</span> velero <span class="nt">--context</span> myapp-production-use1 <span class="c"># Restore a namespace</span> kubectl create <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: velero.io/v1 kind: Restore metadata: name: restore-</span><span class="si">$(</span><span class="nb">date</span> +%Y%m%d-%H%M<span class="si">)</span><span class="sh"> namespace: velero spec: backupName: &lt;backup-name-from-list&gt; includedNamespaces: - production restorePVs: true </span><span class="no">EOF </span><span class="c"># Watch progress</span> kubectl get restore <span class="nt">-n</span> velero <span class="nt">--context</span> myapp-production-use1 <span class="nt">-w</span> </code></pre> </div> <h2> OPS-10: Common Error Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Error</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td><code>Token has expired and refresh failed</code></td> <td>SSO session expired</td> <td><code>aws sso login --sso-session admin --no-browser</code></td> </tr> <tr> <td><code>dial tcp 10.x.x.x:443: i/o timeout</code></td> <td>Private cluster endpoint</td> <td>Enable public access temporarily (OPS-2)</td> </tr> <tr> <td><code>config profile (X) could not be found</code></td> <td>Wrong profile name</td> <td>Use <code>myapp-prod-use1</code> not <code>production</code> </td> </tr> <tr> <td><code>unknown command "argo" for "kubectl"</code></td> <td>Plugin not installed</td> <td>Install <code>kubectl-argo-rollouts</code> binary</td> </tr> <tr> <td> <code>SecretSynced: False</code> on ExternalSecret</td> <td>IRSA role or secret missing</td> <td>Check IAM role exists, check secret path in Secrets Manager</td> </tr> <tr> <td>Pod stuck in <code>Pending</code> </td> <td>Karpenter provisioning</td> <td>Wait 2 min; check <code>kubectl get nodeclaims</code> </td> </tr> <tr> <td>ArgoCD app <code>OutOfSync</code> after ESO sync</td> <td>ESO writes <code>status.refreshTime</code> </td> <td>Known false positive — safe to ignore or force-sync</td> </tr> </tbody> </table></div> cicd devops kubernetes terraform Part 10: Resilience — Karpenter, HPA, Argo Rollouts, and Velero Matthew Wed, 20 May 2026 08:00:00 +0000 https://dev.to/matthewdipo/part-10-resilience-karpenter-hpa-argo-rollouts-and-velero-3odg https://dev.to/matthewdipo/part-10-resilience-karpenter-hpa-argo-rollouts-and-velero-3odg <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Resilience engineering is about building systems that degrade gracefully, recover automatically, and deploy safely. This final part brings together four capabilities:</p> <ul> <li> <strong>Karpenter</strong> — automatically provisions the right EC2 instances for pending pods, and removes them when no longer needed</li> <li> <strong>HPA</strong> — scales pod replicas based on CPU/memory pressure</li> <li> <strong>Argo Rollouts</strong> — deploys new versions with controlled canary traffic and automatic rollback on errors</li> <li> <strong>Velero</strong> — backs up Kubernetes resources and PVC data to S3 for disaster recovery </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ RESILIENCE LAYERS │ │ │ │ Traffic Spike │ │ └─► HPA: scale pods from 3 → 8 │ │ └─► Karpenter: provision new nodes to fit pending pods │ │ │ │ New Deployment │ │ └─► Argo Rollouts: 20% canary → analysis → promote or rollback │ │ │ │ Cluster Disaster │ │ └─► Velero: restore from S3 backup to new cluster │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Karpenter — Next-Generation Node Autoscaler </h2> <h3> Why Karpenter over Cluster Autoscaler? </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Cluster Autoscaler</th> <th>Karpenter</th> </tr> </thead> <tbody> <tr> <td>Node selection</td> <td>Pre-defined ASG instance types</td> <td>Picks cheapest EC2 that fits pod requests</td> </tr> <tr> <td>Spot support</td> <td>Limited</td> <td>Native, with fallback ordering</td> </tr> <tr> <td>Speed</td> <td>3–5 minutes</td> <td>30–90 seconds</td> </tr> <tr> <td>Consolidation</td> <td>Basic</td> <td>Active: moves pods to fewer nodes, terminates unused</td> </tr> <tr> <td>Configuration</td> <td>Per-ASG scaling groups</td> <td>Declarative NodePool CRD</td> </tr> </tbody> </table></div> <p>Karpenter provisions EC2 instances directly via the EC2 Fleet API — no Auto Scaling Group required for scaling decisions. It launches the exact instance type that fits your pending pods' resource requests, which means you pay only for what you actually need.</p> <h3> Installation (Production Only) </h3> <p>Karpenter is deployed only on production clusters where cost optimization and fast scaling matter. Dev/staging use fixed 2-node groups.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/karpenter/applicationset.yaml</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://charts.karpenter.sh</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">karpenter</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.37.0"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">serviceAccount:</span> <span class="s">annotations:</span> <span class="s">eks.amazonaws.com/role-arn: "{{karpenterRoleArn}}"</span> <span class="s">settings:</span> <span class="s">clusterName: "{{cluster}}"</span> <span class="s">clusterEndpoint: "{{clusterEndpoint}}"</span> <span class="s">interruptionQueue: "{{cluster}}-interruption"</span> <span class="s">controller:</span> <span class="s">resources:</span> <span class="s">requests:</span> <span class="s">cpu: 1</span> <span class="s">memory: 1Gi</span> </code></pre> </div> <h3> Karpenter IAM </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/karpenter/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"karpenter"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"karpenter-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">karpenter</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"EC2Management"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:RunInstances"</span><span class="p">,</span> <span class="s2">"ec2:TerminateInstances"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstanceTypes"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSubnets"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSecurityGroups"</span><span class="p">,</span> <span class="s2">"ec2:DescribeLaunchTemplates"</span><span class="p">,</span> <span class="s2">"ec2:CreateLaunchTemplate"</span><span class="p">,</span> <span class="s2">"ec2:CreateFleet"</span><span class="p">,</span> <span class="s2">"ec2:CreateTags"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSpotPriceHistory"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"EKSDescribe"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># REQUIRED: Karpenter needs this to discover the cluster endpoint and CA</span> <span class="c1"># Without it Karpenter cannot configure new nodes to join the cluster</span> <span class="s2">"eks:DescribeCluster"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:eks:*:${var.account_id}:cluster/${var.cluster_name}"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"IAMPassRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"iam:PassRole"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_role_arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"SQSInterruption"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sqs:DeleteMessage"</span><span class="p">,</span> <span class="s2">"sqs:GetQueueUrl"</span><span class="p">,</span> <span class="s2">"sqs:ReceiveMessage"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">interruption</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Lesson learned:</strong> <code>eks:DescribeCluster</code> is not optional. Without it, Karpenter cannot discover the cluster endpoint and certificate authority, so newly provisioned nodes cannot join the cluster. Pods remain <code>Pending</code> indefinitely. Always include this permission.</p> </blockquote> <h3> NodePool CRD </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/karpenter/nodepools/templates/nodepool.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.sh/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NodePool</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">general</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">karpenter</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nodeClassRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EC2NodeClass</span> <span class="na">name</span><span class="pi">:</span> <span class="s">general</span> <span class="na">requirements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">kubernetes.io/arch</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">amd64</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.sh/capacity-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">spot</span><span class="pi">,</span> <span class="nv">on-demand</span><span class="pi">]</span> <span class="c1"># Prefer spot, fall back to on-demand</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/instance-category</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">c</span><span class="pi">,</span> <span class="nv">m</span><span class="pi">,</span> <span class="nv">r</span><span class="pi">]</span> <span class="c1"># Compute, memory, balanced families</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/instance-size</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">NotIn</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">nano</span><span class="pi">,</span> <span class="nv">micro</span><span class="pi">,</span> <span class="nv">small</span><span class="pi">]</span> <span class="c1"># Minimum medium instances</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">400Gi</span> <span class="na">disruption</span><span class="pi">:</span> <span class="na">consolidationPolicy</span><span class="pi">:</span> <span class="s">WhenUnderutilized</span> <span class="c1"># Actively consolidate idle nodes</span> <span class="na">consolidateAfter</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">expireAfter</span><span class="pi">:</span> <span class="s">720h</span> <span class="c1"># Rotate nodes every 30 days (security hygiene)</span> </code></pre> </div> <h3> EC2NodeClass CRD </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EC2NodeClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">general</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">amiFamily</span><span class="pi">:</span> <span class="s">AL2</span> <span class="c1"># Amazon Linux 2 — EKS-optimized AMI</span> <span class="c1"># Karpenter discovers subnets and security groups by tags</span> <span class="na">subnetSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">tags</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">securityGroupSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">tags</span><span class="pi">:</span> <span class="na">karpenter.sh/discovery</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">instanceProfile</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}-karpenter-node"</span> <span class="na">blockDeviceMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deviceName</span><span class="pi">:</span> <span class="s">/dev/xvda</span> <span class="na">ebs</span><span class="pi">:</span> <span class="na">volumeSize</span><span class="pi">:</span> <span class="s">100Gi</span> <span class="na">volumeType</span><span class="pi">:</span> <span class="s">gp3</span> <span class="na">encrypted</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">kmsKeyID</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{kmsKeyArn}}"</span> </code></pre> </div> <h3> Verifying Karpenter </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Watch for new NodeClaims as pods scale up</span> kubectl <span class="nt">--context</span> prod-use1 get nodeclaims <span class="nt">-w</span> <span class="c"># Check NodePool status</span> kubectl <span class="nt">--context</span> prod-use1 get nodepool general <span class="c"># See which nodes Karpenter provisioned vs the initial managed node group</span> kubectl <span class="nt">--context</span> prod-use1 get nodes <span class="nt">-L</span> karpenter.sh/capacity-type,node.kubernetes.io/instance-type </code></pre> </div> <h2> HPA — Horizontal Pod Autoscaler </h2> <p>HPA watches CPU and memory metrics from the metrics-server and scales pod replicas up or down automatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/hpa.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.autoscaling.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">if .Values.rollout.enabled</span> <span class="pi">}}</span><span class="s">argoproj.io/v1alpha1{{ else }}apps/v1{{ end }}</span> <span class="na">kind</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">if .Values.rollout.enabled</span> <span class="pi">}}</span><span class="s">Rollout{{ else }}Deployment{{ end }}</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.autoscaling.minReplicas</span> <span class="pi">}}</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.autoscaling.maxReplicas</span> <span class="pi">}}</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.autoscaling.targetCPUUtilizationPercentage | default 70</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">memory</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Production values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># values-production.yaml</span> <span class="na">autoscaling</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">targetCPUUtilizationPercentage</span><span class="pi">:</span> <span class="m">60</span> </code></pre> </div> <blockquote> <p><strong>Note the conditional <code>scaleTargetRef</code>:</strong> In production, HPA targets a <code>Rollout</code> resource (Argo Rollouts). In dev/staging, it targets a standard <code>Deployment</code>. The Helm template handles both cases via <code>.Values.rollout.enabled</code>.</p> </blockquote> <h3> HPA + Karpenter Interaction </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Traffic spike arrives │ ▼ HPA: CPU &gt; 60% → scale pods from 3 to 8 │ ▼ 5 new pods: Pending (not enough node capacity) │ ▼ Karpenter: detects Pending pods → evaluates requests → finds cheapest EC2 that fits → provisions 2x m5.large │ ▼ ~60 seconds New nodes join cluster → pods schedule → Running │ Traffic normalizes │ HPA: CPU &lt; 60% → scale pods from 8 back to 3 │ 5 pods terminate │ Karpenter: 2 nodes underutilized → consolidate → terminate nodes </code></pre> </div> <h2> Argo Rollouts — Canary Deployments </h2> <p>Argo Rollouts replaces the standard Kubernetes <code>Deployment</code> with a <code>Rollout</code> resource that supports progressive delivery strategies. In production, every deployment goes through a canary phase.</p> <h3> Installation (Production Only) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/argo-rollouts/applicationset.yaml</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://argoproj.github.io/argo-helm</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">argo-rollouts</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2.35.3"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">installCRDs: true</span> <span class="s">dashboard:</span> <span class="s">enabled: true</span> <span class="s">service:</span> <span class="s">type: ClusterIP</span> </code></pre> </div> <h3> Rollout CRD (replaces Deployment in production) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/deployment.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.rollout.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicaCount</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.selectorLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.selectorLabels" . | nindent 8</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Values.image.repository</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Values.image.tag</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span><span class="s">-canary</span> <span class="na">stableService</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">20</span> <span class="c1"># Step 1: 20% of traffic to canary</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="c1"># Step 2: Bake for 5 minutes</span> <span class="pi">-</span> <span class="na">analysis</span><span class="pi">:</span> <span class="c1"># Step 3: Automated metric check</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span><span class="s">-canary</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> <span class="c1"># Step 4: Promote to 100%</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="c1"># Standard Deployment for dev/staging</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="nn">...</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <h3> AnalysisTemplate — Automated Promotion Gate </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/analysis-template.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Run 5 measurements (5 minutes total)</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># One failure triggers rollback</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus-operated.monitoring.svc.cluster.local:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(</span> <span class="s">rate(myapp_http_requests_total{</span> <span class="s">service="{{`{{args.service-name}}`}}",</span> <span class="s">status_code!~"5.."</span> <span class="s">}[5m])</span> <span class="s">)</span> <span class="s">/</span> <span class="s">sum(</span> <span class="s">rate(myapp_http_requests_total{</span> <span class="s">service="{{`{{args.service-name}}`}}"</span> <span class="s">}[5m])</span> <span class="s">)</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.99</span> <span class="c1"># 99%+ success rate required</span> <span class="na">failureCondition</span><span class="pi">:</span> <span class="s">result[0] &lt; </span><span class="m">0.99</span> </code></pre> </div> <h3> Canary Service </h3> <p>Traffic splitting requires two Services: <code>stable</code> (regular Service) and <code>canary</code> (routes only to canary pods).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/service-canary.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.rollout.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span><span class="s">-canary</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.selectorLabels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <h3> Canary Deployment Walkthrough </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. CI pushes new image: sha-abc123 → myapp-gitops updated 2. ArgoCD detects diff → triggers Rollout update 3. Argo Rollouts creates new ReplicaSet with sha-abc123 Traffic: 80% → stable (sha-xyz789), 20% → canary (sha-abc123) 4. 5-minute pause → Monitor Grafana: error rate on canary service? → Logs in CloudWatch: any exceptions? 5. AnalysisRun queries Prometheus (5 measurements × 1 min) → success_rate = 0.997 (99.7% success) ✓ PASS 6. setWeight: 100% → all traffic to sha-abc123 7. Old ReplicaSet (sha-xyz789) scaled to 0 after stability window </code></pre> </div> <h3> Manual Intervention </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Watch rollout progress</span> kubectl argo rollouts status myapp <span class="nt">-n</span> myapp <span class="nt">--watch</span> <span class="c"># Manually promote (skip remaining pause/analysis steps)</span> kubectl argo rollouts promote myapp <span class="nt">-n</span> myapp <span class="c"># Manually abort (rollback to stable immediately)</span> kubectl argo rollouts abort myapp <span class="nt">-n</span> myapp <span class="c"># Access the Argo Rollouts dashboard</span> kubectl port-forward svc/argo-rollouts-dashboard <span class="nt">-n</span> argo-rollouts 3100:3100 <span class="c"># Open http://localhost:3100</span> </code></pre> </div> <h2> Velero — Backup and Disaster Recovery </h2> <p>Velero backs up Kubernetes resource definitions and EBS volume snapshots to S3. If a cluster is accidentally deleted or corrupted, you can restore everything to a new cluster.</p> <h3> What Velero Backs Up </h3> <ul> <li>All Kubernetes objects (Deployments, Services, ConfigMaps, Secrets, etc.)</li> <li>PersistentVolumeClaim snapshots (Prometheus data, Grafana dashboards, etc.)</li> <li>Namespace structure</li> </ul> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/velero/applicationset.yaml</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://vmware-tanzu.github.io/helm-charts</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">velero</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6.4.0"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">serviceAccount:</span> <span class="s">server:</span> <span class="s">annotations:</span> <span class="s">eks.amazonaws.com/role-arn: "{{veleroRoleArn}}"</span> <span class="s">configuration:</span> <span class="s">backupStorageLocation:</span> <span class="s">- name: default</span> <span class="s">provider: aws</span> <span class="s">bucket: "myapp-velero-{{cluster}}"</span> <span class="s">config:</span> <span class="s">region: "{{region}}"</span> <span class="s">volumeSnapshotLocation:</span> <span class="s">- name: default</span> <span class="s">provider: aws</span> <span class="s">config:</span> <span class="s">region: "{{region}}"</span> <span class="s">initContainers:</span> <span class="s">- name: velero-plugin-for-aws</span> <span class="s">image: velero/velero-plugin-for-aws:v1.9.0</span> <span class="s">volumeMounts:</span> <span class="s">- mountPath: /target</span> <span class="s">name: plugins</span> </code></pre> </div> <h3> Scheduled Backup </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/velero/schedule.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">velero.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Schedule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">daily-backup</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">velero</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="c1"># 2 AM UTC daily</span> <span class="na">template</span><span class="pi">:</span> <span class="na">includedNamespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">myapp</span> <span class="pi">-</span> <span class="s">monitoring</span> <span class="pi">-</span> <span class="s">argocd</span> <span class="na">excludedResources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">events</span> <span class="pi">-</span> <span class="s">events.events.k8s.io</span> <span class="na">snapshotVolumes</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ttl</span><span class="pi">:</span> <span class="s">720h</span> <span class="c1"># 30 days retention</span> <span class="na">storageLocation</span><span class="pi">:</span> <span class="s">default</span> <span class="na">volumeSnapshotLocations</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> </code></pre> </div> <h3> Restore Procedure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List available backups</span> velero backup get <span class="c"># Restore from a specific backup</span> velero restore create <span class="nt">--from-backup</span> daily-backup-20260308020000 <span class="c"># Watch restore progress</span> velero restore describe &lt;restore-name&gt; <span class="nt">--details</span> <span class="c"># Verify restored resources</span> kubectl get all <span class="nt">-n</span> myapp kubectl get pvc <span class="nt">-n</span> monitoring </code></pre> </div> <blockquote> <p><strong>Critical reminder:</strong> An untested backup is not a backup. Run a restore drill at least quarterly into a temporary cluster. The restore procedure should be documented and rehearsed so it is not being learned for the first time during an actual outage.</p> </blockquote> <h2> PodDisruptionBudget </h2> <p>Karpenter's consolidation can evict pods to move them to fewer nodes. Without a PDB, it might evict too many pods at once and cause downtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/pdb.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="c1"># Always keep at least 2 pods running during disruption</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.selectorLabels" . | nindent 6</span> <span class="pi">}}</span> </code></pre> </div> <p>With <code>minReplicas: 3</code> and <code>minAvailable: 2</code>, Karpenter can only evict one pod at a time. The remaining two continue serving traffic while the evicted pod reschedules on a new node.</p> <h2> Complete Resilience Picture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NORMAL OPERATION ───────────────── 3 pods (minReplicas) on 2 managed nodes HPA watching CPU (target: 60%) Karpenter watching for pending pods Velero backing up daily at 2 AM UTC TRAFFIC SPIKE ───────────────── CPU &gt; 60% → HPA scales to 8 pods 2 pods pending (no capacity) → Karpenter provisions m5.large All 8 pods running → serving traffic Spike ends → HPA scales to 3 pods 2 pods terminate → Karpenter consolidates → terminates extra node NEW DEPLOYMENT (production) ───────────────── ArgoCD syncs new image → Rollout starts 20% canary → 5min bake → AnalysisRun → 100% promote OR: error rate &gt; 1% → automatic rollback to previous version DISASTER RECOVERY ───────────────── Cluster accidentally deleted → restore from Velero backup velero restore create --from-backup &lt;last-good-backup&gt; Kubernetes objects restored → EBS snapshots attached → running in ~15 min </code></pre> </div> <h2> Summary </h2> <p>By the end of Part 10 — and the entire series — you have:</p> <ul> <li>✅ <strong>Karpenter</strong> provisioning right-sized EC2 instances on demand, consolidating when idle</li> <li>✅ <strong>HPA</strong> scaling pods 3→10 based on CPU utilization, targeting a Rollout in production</li> <li>✅ <strong>Argo Rollouts</strong> deploying every production change as a canary with automated Prometheus-based promotion gates</li> <li>✅ <strong>Velero</strong> running scheduled daily backups with 30-day retention to S3</li> <li>✅ <strong>PodDisruptionBudget</strong> preventing Karpenter from evicting too many pods at once</li> </ul> <h2> Series Conclusion </h2> <p>You have now built a complete production-grade DevSecOps platform:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What You Built</th> </tr> </thead> <tbody> <tr> <td>Foundation</td> <td>AWS Organizations, 4 accounts, SSO, SCPs</td> </tr> <tr> <td>Infrastructure</td> <td>Terraform modules, Terragrunt DRY configs, 6 VPCs</td> </tr> <tr> <td>Compute</td> <td>6 EKS clusters (k8s 1.29) across 3 environments and 2 regions</td> </tr> <tr> <td>GitOps</td> <td>ArgoCD hub-spoke, 35+ ApplicationSets, automated sync</td> </tr> <tr> <td>CI/CD</td> <td>GitHub Actions + OIDC + Trivy + Cosign + ECR</td> </tr> <tr> <td>Secrets</td> <td>AWS Secrets Manager + ESO + IRSA</td> </tr> <tr> <td>Security</td> <td>Kyverno policies + Falco runtime detection + WAF + GuardDuty</td> </tr> <tr> <td>Observability</td> <td>Prometheus + Grafana + Fluent Bit + CloudWatch</td> </tr> <tr> <td>Resilience</td> <td>Karpenter + HPA + Argo Rollouts canary + Velero DR</td> </tr> <tr> <td>Networking</td> <td>Route53 latency routing + ACM TLS + ALB + NetworkPolicies</td> </tr> </tbody> </table></div> <p>This is the platform that a growing engineering team with 50–500 developers would build and operate. Each component was chosen for a reason, wired to the others, and tested against real failures.</p> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: kubectl get hpa showing current/desired replicas scaling</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0gt1hbgiku4vhgqcu7p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0gt1hbgiku4vhgqcu7p.png" alt="Show in frame: The HPA showing TARGETS: 15%/70%, MIN: 3, MAX: 10, REPLICAS: 3. This confirms autoscaling is wired up.<br> Screenshot 10-3: Velero Backup Schedule" width="800" height="734"></a></p> <p><strong>SCREENSHOT: ArgoCD — full applications view showing all 35+ apps across 6 clusters</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fopovny026913cge0awjf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fopovny026913cge0awjf.png" alt=" ArgoCD — full applications view showing all 35+ apps across 6 clusters" width="799" height="443"></a></p> </blockquote> <p><em>Thank you for following this series. Source code:</em></p> <ul> <li><em>Infrastructure: <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">github.com/MatthewDipo/myapp-infra</a></em></li> <li><em>GitOps manifests: <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">github.com/MatthewDipo/myapp-gitops</a></em></li> <li><em>Application: <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">github.com/MatthewDipo/myapp</a></em></li> </ul> kubernetes devops aws cloud Part 9: Observability — Prometheus, Grafana, Fluent Bit, and CloudWatch Matthew Wed, 13 May 2026 08:00:00 +0000 https://dev.to/matthewdipo/part-9-observability-prometheus-grafana-fluent-bit-and-cloudwatch-4h44 https://dev.to/matthewdipo/part-9-observability-prometheus-grafana-fluent-bit-and-cloudwatch-4h44 <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Observability answers the question: <em>what is my system doing right now, and why?</em></p> <p>The three pillars:</p> <ul> <li> <strong>Metrics</strong> — numerical measurements over time (CPU%, request rate, error rate, latency)</li> <li> <strong>Logs</strong> — structured event records from every container</li> <li> <strong>Traces</strong> — request flows across services (not covered in this series, but Grafana Tempo is the natural next step)</li> </ul> <p>This pipeline implements metrics with <strong>Prometheus + Grafana</strong> and logs with <strong>Fluent Bit → CloudWatch</strong>. Together they give you both real-time dashboards and historical log search without leaving the AWS ecosystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────────┐ │ OBSERVABILITY ARCHITECTURE │ │ │ │ Application Pods │ │ ├─ /metrics endpoint → ServiceMonitor → Prometheus scrape │ │ └─ stdout/stderr → Fluent Bit DaemonSet → CloudWatch Logs │ │ │ │ Infrastructure │ │ ├─ node-exporter (CPU, memory, disk, network per node) → Prometheus │ │ └─ kube-state-metrics (pod state, deployment state) → Prometheus │ │ │ │ Prometheus → Grafana (dashboards + alert rules) │ │ Prometheus → Alertmanager (notifications) │ │ │ │ Falco (security events) → stdout → Fluent Bit → CloudWatch │ │ All containers → stdout → Fluent Bit → CloudWatch │ └──────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> kube-prometheus-stack </h2> <p>Rather than installing Prometheus, Grafana, and Alertmanager separately, we use the <code>kube-prometheus-stack</code> Helm chart. It bundles:</p> <ul> <li> <strong>Prometheus Operator</strong> — manages Prometheus, Alertmanager, and PrometheusRule CRDs</li> <li> <strong>Prometheus</strong> — the metrics database</li> <li> <strong>Alertmanager</strong> — routes alerts to notification channels</li> <li> <strong>Grafana</strong> — dashboards and visualization</li> <li> <strong>kube-state-metrics</strong> — exposes Kubernetes object state as metrics</li> <li> <strong>node-exporter</strong> — exposes node-level metrics (CPU, memory, disk, network)</li> </ul> <p>We install it only on <strong>staging and production</strong> clusters (4 of 6) — dev clusters skip monitoring to reduce cost.</p> <h3> Installation via ArgoCD </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/monitoring/applicationset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-prometheus-stack</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">list</span><span class="pi">:</span> <span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">grafanaIngress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:us-east-1:591120834781:certificate/9ab022c9-..."</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">grafanaIngress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">grafanaIngress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">grafanaIngress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">prometheus-{{cluster}}"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">production</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://prometheus-community.github.io/helm-charts</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">kube-prometheus-stack</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">61.9.0"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">valueFiles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$gitopsValues/infrastructure/monitoring/prometheus-values.yaml</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">grafana.ingress.enabled"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{grafanaIngress}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">grafana.ingress.annotations.alb</span><span class="se">\\</span><span class="s">.ingress</span><span class="se">\\</span><span class="s">.kubernetes</span><span class="se">\\</span><span class="s">.io/certificate-arn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{certArn}}"</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">ref</span><span class="pi">:</span> <span class="s">gitopsValues</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">CreateNamespace=true</span><span class="pi">,</span> <span class="nv">ServerSideApply=true</span><span class="pi">]</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">limit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">backoff</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">30s</span><span class="pi">,</span> <span class="nv">maxDuration</span><span class="pi">:</span> <span class="nv">10m</span><span class="pi">,</span> <span class="nv">factor</span><span class="pi">:</span> <span class="nv">2</span> <span class="pi">}</span> </code></pre> </div> <blockquote> <p><strong>Important install flag:</strong> Use <code>--no-hooks --timeout 10m</code> (without <code>--wait</code>). Pre-upgrade admission webhook Jobs consistently time out in ArgoCD, causing the sync phase to show <code>Failed</code> — but the actual resources (Prometheus, Grafana, Alertmanager) deploy correctly. This is a known false positive. Do not let it alarm you.</p> </blockquote> <h3> prometheus-values.yaml </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">prometheus</span><span class="pi">:</span> <span class="na">prometheusSpec</span><span class="pi">:</span> <span class="na">retention</span><span class="pi">:</span> <span class="s">15d</span> <span class="na">storageSpec</span><span class="pi">:</span> <span class="na">volumeClaimTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ReadWriteOnce</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">50Gi</span> <span class="c1"># Auto-discover ALL ServiceMonitors and PodMonitors across all namespaces</span> <span class="c1"># Without these settings Prometheus only scrapes resources with matching Helm labels</span> <span class="na">podMonitorSelectorNilUsesHelmValues</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">serviceMonitorSelectorNilUsesHelmValues</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">ruleSelectorNilUsesHelmValues</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">alertmanager</span><span class="pi">:</span> <span class="na">alertmanagerSpec</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">volumeClaimTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ReadWriteOnce</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> <span class="na">config</span><span class="pi">:</span> <span class="na">global</span><span class="pi">:</span> <span class="na">resolve_timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">route</span><span class="pi">:</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">region</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">12h</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s2">"</span><span class="s">null"</span> <span class="c1"># Placeholder — replace with Slack/PagerDuty</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">null"</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">admin</span><span class="pi">:</span> <span class="na">existingSecret</span><span class="pi">:</span> <span class="s">grafana-admin-secret</span> <span class="na">userKey</span><span class="pi">:</span> <span class="s">admin-user</span> <span class="na">passwordKey</span><span class="pi">:</span> <span class="s">admin-password</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">size</span><span class="pi">:</span> <span class="s">10Gi</span> <span class="na">sidecar</span><span class="pi">:</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">searchNamespace</span><span class="pi">:</span> <span class="s">ALL</span> <span class="c1"># Pick up dashboards from all namespaces</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Overridden per-cluster via ApplicationSet parameter</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">alb</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTPS":443}]'</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># Injected per-region</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">grafana.matthewoladipupo.dev</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">kubeStateMetrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">nodeExporter</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> Grafana Public Access </h2> <p>Grafana is only exposed publicly on <code>myapp-production-use1</code>. The reasons:</p> <ul> <li>Grafana uses an EBS <code>ReadWriteOnce</code> PVC — only one node can mount it at a time, making it inherently single-instance</li> <li>EBS data is AZ-local — running a second public Grafana in usw2 would show different historical data</li> <li>One public Grafana that federates data from all clusters is cleaner than four separate Grafana instances</li> </ul> <p><strong>Access URL:</strong> <code>https://grafana.matthewoladipupo.dev</code></p> <p>The Route53 A record points to the ALB provisioned by AWS LBC when the Ingress is applied.</p> <h3> Getting the Grafana Password </h3> <p>The Grafana admin credentials are stored in <code>grafana-admin-secret</code> in the <code>monitoring</code> namespace. <strong>Important caveat:</strong> Grafana only reads this secret on first database initialization. If the secret value changes after the pod has started, you must reset the password via <code>grafana-cli</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> monitoring &lt;grafana-pod&gt; <span class="nt">-c</span> grafana <span class="nt">--</span> <span class="se">\</span> grafana-cli admin reset-admin-password <span class="s1">'YourNewPassword'</span> </code></pre> </div> <h2> ServiceMonitor for the Application </h2> <p>By default, Prometheus only scrapes the cluster components provided by kube-prometheus-stack. To scrape your application, add a <code>ServiceMonitor</code> CRD:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/servicemonitor.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.serviceMonitor.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "myapp.selectorLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http</span> <span class="c1"># Named port on the Service</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/metrics</span> <span class="na">interval</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.serviceMonitor.interval | default "30s"</span> <span class="pi">}}</span> <span class="na">scrapeTimeout</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.serviceMonitor.scrapeTimeout | default "10s"</span> <span class="pi">}}</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>The application's <code>/metrics</code> endpoint returns Prometheus exposition format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="c"># HELP myapp_http_requests_total Total HTTP requests</span> <span class="c"># TYPE myapp_http_requests_total counter</span> <span class="n">myapp_http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">route</span><span class="o">=</span><span class="s2">"/health"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">1423</span> <span class="n">myapp_http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">route</span><span class="o">=</span><span class="s2">"/metrics"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">89</span> <span class="c"># HELP process_cpu_seconds_total Total user and system CPU time</span> <span class="p">...</span> </code></pre> </div> <p>The key setting that makes auto-discovery work: <code>serviceMonitorSelectorNilUsesHelmValues: false</code> in prometheus-values.yaml. Without this, Prometheus only scrapes ServiceMonitors that have the Helm release's labels — ignoring your application's ServiceMonitor.</p> <h2> PrometheusRule — Alert Rules </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/monitoring/alert-rules/myapp-alerts.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PrometheusRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-alerts</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="c1"># Must match what Prometheus Operator is watching</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp.rules</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighErrorRate</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(</span> <span class="s">sum(rate(myapp_http_requests_total{status_code=~"5.."}[5m]))</span> <span class="s">/</span> <span class="s">sum(rate(myapp_http_requests_total[5m]))</span> <span class="s">) &gt; 0.01</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">rate</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">myapp</span><span class="nv"> </span><span class="s">({{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}})"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">More</span><span class="nv"> </span><span class="s">than</span><span class="nv"> </span><span class="s">1%</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">requests</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">failing</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">5xx</span><span class="nv"> </span><span class="s">errors</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">5</span><span class="nv"> </span><span class="s">minutes."</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">PodCrashLooping</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">rate(kube_pod_container_status_restarts_total{namespace="myapp"}[15m]) * 60 * 15 &gt; </span><span class="m">2</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Pod</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.pod</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">crash</span><span class="nv"> </span><span class="s">looping"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Pod</span><span class="nv"> </span><span class="s">has</span><span class="nv"> </span><span class="s">restarted</span><span class="nv"> </span><span class="s">more</span><span class="nv"> </span><span class="s">than</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">times</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">15</span><span class="nv"> </span><span class="s">minutes."</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighMemoryUsage</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(</span> <span class="s">container_memory_working_set_bytes{namespace="myapp",container!=""}</span> <span class="s">/ container_spec_memory_limit_bytes{namespace="myapp",container!=""}</span> <span class="s">) &gt; 0.9</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Memory</span><span class="nv"> </span><span class="s">usage</span><span class="nv"> </span><span class="s">above</span><span class="nv"> </span><span class="s">90%</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.pod</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h2> Alertmanager — Adding Slack Notifications </h2> <p>The current config uses a <code>null</code> receiver (alerts fire but go nowhere). To wire up Slack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">alertmanager</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">global</span><span class="pi">:</span> <span class="na">resolve_timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">slack_api_url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK'</span> <span class="na">route</span><span class="pi">:</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">region</span><span class="pi">,</span> <span class="nv">cluster</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">4h</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-critical</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-critical</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-warning</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slack-critical</span> <span class="na">slack_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">channel</span><span class="pi">:</span> <span class="s1">'</span><span class="s">#alerts-critical'</span> <span class="na">text</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">*Alert:* {{ .GroupLabels.alertname }}</span> <span class="s">*Severity:* {{ .GroupLabels.severity }}</span> <span class="s">*Cluster:* {{ .GroupLabels.cluster }}</span> <span class="s">{{ range .Alerts }}*Description:* {{ .Annotations.description }}{{ end }}</span> <span class="na">send_resolved</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slack-warning</span> <span class="na">slack_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">channel</span><span class="pi">:</span> <span class="s1">'</span><span class="s">#alerts-warning'</span> <span class="na">text</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{</span><span class="nv"> </span><span class="s">.GroupLabels.alertname</span><span class="nv"> </span><span class="s">}}:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">range</span><span class="nv"> </span><span class="s">.Alerts</span><span class="nv"> </span><span class="s">}}{{</span><span class="nv"> </span><span class="s">.Annotations.summary</span><span class="nv"> </span><span class="s">}}{{</span><span class="nv"> </span><span class="s">end</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">send_resolved</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> Fluent Bit — Log Shipping to CloudWatch </h2> <p>Fluent Bit runs as a DaemonSet — one pod per node — and reads all container logs from <code>/var/log/containers/*.log</code>.</p> <h3> IRSA for Fluent Bit </h3> <p>Fluent Bit needs IAM permissions to write to CloudWatch. The key lesson: <strong>use wildcard ARNs for both log groups AND log streams</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/fluent-bit-irsa/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"fluent_bit"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fluent-bit-cloudwatch"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">fluent_bit</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"CloudWatchLogs"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">,</span> <span class="s2">"logs:DescribeLogStreams"</span><span class="p">,</span> <span class="s2">"logs:DescribeLogGroups"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># Log group operations (CreateLogGroup, DescribeLogGroups)</span> <span class="s2">"arn:aws:logs:${var.aws_region}:${var.account_id}:log-group:/eks/*"</span><span class="p">,</span> <span class="c1"># Log stream operations (CreateLogStream, PutLogEvents)</span> <span class="c1"># The :* suffix is REQUIRED for stream-level permissions</span> <span class="s2">"arn:aws:logs:${var.aws_region}:${var.account_id}:log-group:/eks/*:*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Lesson learned:</strong> Using only <code>log-group:/eks/*</code> (without the <code>:*</code> suffix) grants permissions on the log group resource but NOT on log streams within it. <code>CreateLogStream</code> and <code>PutLogEvents</code> operate on the log stream resource, which requires the <code>:*</code> suffix. Without this, pods get <code>AccessDeniedException</code> on <code>CreateLogStream</code> even though <code>CreateLogGroup</code> succeeds.</p> </blockquote> <h3> Fluent Bit Helm Values </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/logging/fluent-bit-values.yaml</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{irsaRoleArn}}"</span> <span class="c1"># Injected per-cluster</span> <span class="na">cloudWatch</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{region}}"</span> <span class="na">logGroupName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/eks/{{cluster}}/$(kubernetes['namespace_name'])"</span> <span class="na">logStreamName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$(kubernetes['pod_name'])/$(kubernetes['container_name'])"</span> <span class="na">autoCreateGroup</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Enrich log records with Kubernetes metadata</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">kubernetes</span><span class="pi">:</span> <span class="na">Merge_Log</span><span class="pi">:</span> <span class="s">On</span> <span class="na">Keep_Log</span><span class="pi">:</span> <span class="s">Off</span> <span class="na">K8S-Logging.Parser</span><span class="pi">:</span> <span class="s">On</span> <span class="na">K8S-Logging.Exclude</span><span class="pi">:</span> <span class="s">On</span> </code></pre> </div> <h3> CloudWatch Log Groups Created </h3> <p>After Fluent Bit starts, these log groups appear in CloudWatch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/eks/myapp-production-use1/myapp /eks/myapp-production-use1/monitoring /eks/myapp-production-use1/argocd /eks/myapp-production-use1/kyverno /eks/myapp-production-use1/falco ... (one per namespace, all clusters) </code></pre> </div> <h3> Querying Logs with CloudWatch Insights </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="o">#</span> <span class="n">Find</span> <span class="k">all</span> <span class="mi">5</span><span class="n">xx</span> <span class="n">errors</span> <span class="k">in</span> <span class="n">the</span> <span class="k">last</span> <span class="n">hour</span> <span class="n">fields</span> <span class="o">@</span><span class="nb">timestamp</span><span class="p">,</span> <span class="n">log</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">kubernetes</span><span class="p">.</span><span class="n">namespace_name</span> <span class="o">=</span> <span class="nv">"myapp"</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">log</span> <span class="k">like</span> <span class="o">/</span><span class="mi">5</span><span class="p">[</span><span class="mi">0</span><span class="o">-</span><span class="mi">9</span><span class="p">][</span><span class="mi">0</span><span class="o">-</span><span class="mi">9</span><span class="p">]</span><span class="o">/</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">@</span><span class="nb">timestamp</span> <span class="k">desc</span> <span class="o">|</span> <span class="k">limit</span> <span class="mi">100</span> <span class="o">#</span> <span class="n">Find</span> <span class="n">Falco</span> <span class="k">security</span> <span class="n">alerts</span> <span class="n">fields</span> <span class="o">@</span><span class="nb">timestamp</span><span class="p">,</span> <span class="k">output</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">kubernetes</span><span class="p">.</span><span class="n">namespace_name</span> <span class="o">=</span> <span class="nv">"falco"</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">priority</span> <span class="o">=</span> <span class="nv">"Warning"</span> <span class="k">or</span> <span class="n">priority</span> <span class="o">=</span> <span class="nv">"Error"</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">@</span><span class="nb">timestamp</span> <span class="k">desc</span> <span class="o">#</span> <span class="k">Count</span> <span class="n">errors</span> <span class="k">by</span> <span class="n">pod</span> <span class="n">stats</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">errors</span> <span class="k">by</span> <span class="n">kubernetes</span><span class="p">.</span><span class="n">pod_name</span> <span class="o">|</span> <span class="n">filter</span> <span class="n">log</span> <span class="k">like</span> <span class="o">/</span><span class="n">ERROR</span><span class="o">/</span> <span class="o">|</span> <span class="n">sort</span> <span class="n">errors</span> <span class="k">desc</span> </code></pre> </div> <h2> Grafana Dashboards </h2> <h3> Pre-built Dashboards (from kube-prometheus-stack) </h3> <p>These are included automatically and show up in Grafana immediately after installation:</p> <ul> <li> <strong>Kubernetes / Compute Resources / Cluster</strong> — total CPU/memory across all nodes</li> <li> <strong>Kubernetes / Compute Resources / Namespace</strong> — resource breakdown per namespace</li> <li> <strong>Node Exporter / Nodes</strong> — per-node CPU, memory, disk, network I/O</li> <li> <strong>Alertmanager / Overview</strong> — alert firing/resolved history</li> </ul> <h3> Importing Community Dashboards </h3> <ol> <li>Go to <code>https://grafana.matthewoladipupo.dev</code> </li> <li>Dashboards → Import</li> <li>Enter the dashboard ID from grafana.com: <ul> <li> <code>1860</code> — Node Exporter Full (very detailed node metrics)</li> <li> <code>13332</code> — Kubernetes Pods (pod-level resource view)</li> <li> <code>15757</code> — ArgoCD (sync status, app health)</li> </ul> </li> </ol> <h3> Application Dashboard </h3> <p>With the ServiceMonitor installed, Grafana can display your app metrics. Create a panel with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Request rate (requests per second) sum(rate(myapp_http_requests_total[5m])) by (route) # Error rate (percentage of 5xx) sum(rate(myapp_http_requests_total{status_code=~"5.."}[5m])) / sum(rate(myapp_http_requests_total[5m])) * 100 # 95th percentile latency (if using histogram metric) histogram_quantile(0.95, rate(http_request_duration_seconds_bucket[5m])) </code></pre> </div> <h2> Summary </h2> <p>By the end of Part 9 you have:</p> <ul> <li>✅ kube-prometheus-stack on 4 clusters (staging + production) with EBS persistent storage</li> <li>✅ Grafana publicly accessible at <code>https://grafana.matthewoladipupo.dev</code> (production-use1 only)</li> <li>✅ ServiceMonitor scraping myapp's <code>/metrics</code> endpoint every 30 seconds</li> <li>✅ PrometheusRule alert rules for high error rate, crash looping, high memory</li> <li>✅ Fluent Bit DaemonSet on all 6 clusters shipping logs to CloudWatch</li> <li>✅ CloudWatch log groups per namespace per cluster</li> <li>✅ CloudWatch Insights for ad-hoc log queries</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: Grafana — Kubernetes cluster overview dashboard showing node CPU and memory</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80fld1ic5bi2llmxn84q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80fld1ic5bi2llmxn84q.png" alt="Show in frame: Dashboard ID 15757 or similar — showing cluster CPU/Memory/Pod count panels with the cluster selector dropdown visible." width="800" height="445"></a></p> <p><strong>SCREENSHOT: Grafana — Node Exporter dashboard showing per-node metrics</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdimxl0baoqd956a6hjjz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdimxl0baoqd956a6hjjz.png" alt="Show in frame: CPU usage graphs, memory usage, disk I/O, network I/O — all in one view. Pick a time range with actual traffic." width="800" height="447"></a></p> <p><strong>SCREENSHOT: AWS CloudWatch — Log groups showing /eks/ hierarchy from Fluent Bit</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rc0vs525hteex2n6hsu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rc0vs525hteex2n6hsu.png" alt="Show in frame: The /eks/myapp-production-use1/ log groups visible — application, dataplane, host. This proves Fluent Bit is shipping logs." width="800" height="442"></a></p> <p><strong>SCREENSHOT: CloudWatch Insights — query result showing application logs</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq4ww2vh40bjajtglor4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq4ww2vh40bjajtglor4.png" alt="Show in frame: A simple fields @timestamp, @message | sort @timestamp desc | limit 20 query with actual log lines from your app. This is very compelling visually." width="800" height="442"></a></p> </blockquote> <p><em>Next: Part 10 — Resilience: Karpenter, HPA, Argo Rollouts, and Velero</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> kubernetes monitoring devops aws Part 8: Security Stack Matthew Wed, 06 May 2026 08:00:00 +0000 https://dev.to/matthewdipo/part-8-security-stack-48if https://dev.to/matthewdipo/part-8-security-stack-48if <h2> Security Stack — Kyverno, Falco, WAF, and GuardDuty </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction: Defense in Depth </h2> <p>No single security tool is sufficient. A WAF blocks HTTP attacks but does nothing if an attacker exploits a container escape. Kyverno blocks bad pod configurations but can't stop an attacker who is already inside a running container. Each layer catches what the others miss.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88nfm95f8jp7bck9nlyd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88nfm95f8jp7bck9nlyd.png" alt="Security Defense in Depth — 5 concentric layers: Supply Chain (Trivy, <br> Cosign, ECR), Runtime (Falco eBPF), Admission Control (Kyverno), Cloud <br> Perimeter (GuardDuty, WAF), Network (VPC, Security Groups)" width="800" height="524"></a></p> <p><em>An attacker must penetrate all 5 layers. A container escape attempt is caught <br> simultaneously by Falco (runtime), Kyverno (admission), and GuardDuty (API <br> anomaly detection).</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ SECURITY LAYERS — each catches different attack vectors │ │ │ │ Layer 1: SUPPLY CHAIN (Part 6) │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Trivy: no HIGH/CRITICAL CVEs in image │ │ │ │ Cosign: image cryptographically signed before push │ │ │ │ Distroless: no shell/tools available post-compromise │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ↓ (image passes, reaches cluster) │ │ Layer 2: ADMISSION CONTROL (Kyverno) │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Blocks bad configs at kubectl apply / ArgoCD sync time │ │ │ │ Pod never starts if it violates policy │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ↓ (pod starts, attacker gets RCE) │ │ Layer 3: RUNTIME DETECTION (Falco) │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ eBPF syscall monitoring — detects attacks already running │ │ │ │ Alerts within 1 second of suspicious activity │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ↓ (attacker reaches HTTP layer) │ │ Layer 4: PERIMETER (AWS WAF) │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Blocks SQLi, XSS, log4shell, rate limiting at ALB level │ │ │ │ Attacker request never reaches your pod │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ ↓ (account-level threats) │ │ Layer 5: THREAT INTELLIGENCE (GuardDuty) │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ ML-based: crypto mining, C2 comms, compromised credentials │ │ │ │ Monitors CloudTrail, VPC Flow Logs, DNS queries │ │ │ └─────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Kyverno — Admission Control </h2> <p>Kyverno is a Kubernetes-native policy engine. Policies are written in YAML, not a separate policy language, which makes them readable and maintainable by anyone who knows Kubernetes.</p> <h3> Version Selection </h3> <p><strong>This matters enormously.</strong> Kyverno 3.7.x requires Kubernetes ≥ 1.30 because it uses <code>ValidatingAdmissionPolicy</code> (a v1 API). Our clusters run Kubernetes 1.29.</p> <ul> <li>❌ Kyverno 3.7.x → CrashLoopBackOff on k8s 1.29</li> <li>✅ Kyverno 3.2.6 (app version 1.12.5) → compatible with k8s 1.25–1.29 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/kyverno/applicationset.yaml</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://kyverno.github.io/kyverno</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">kyverno</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.2.6"</span> </code></pre> </div> <h3> Installation Flags </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>kyverno kyverno/kyverno <span class="se">\</span> <span class="nt">-n</span> kyverno <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--version</span> 3.2.6 <span class="se">\</span> <span class="nt">--no-hooks</span> <span class="se">\ </span> <span class="c"># REQUIRED: cleanup CronJobs get ImagePullBackOff</span> <span class="nt">--wait</span> <span class="se">\</span> <span class="nt">--timeout</span> 10m </code></pre> </div> <h3> System Namespace Exclusions </h3> <p>Kyverno policies apply to all namespaces by default. System components like CoreDNS and kube-proxy run in <code>kube-system</code> and don't follow application-level security policies (they need root, they need hostPath, etc.). Exclude system namespaces in every policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Applies to ALL policies below</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kube-system</span> <span class="pi">-</span> <span class="s">kyverno</span> <span class="pi">-</span> <span class="s">cert-manager</span> <span class="pi">-</span> <span class="s">external-secrets</span> <span class="pi">-</span> <span class="s">argocd</span> <span class="pi">-</span> <span class="s">argo-rollouts</span> <span class="pi">-</span> <span class="s">monitoring</span> <span class="pi">-</span> <span class="s">logging</span> <span class="pi">-</span> <span class="s">falco</span> </code></pre> </div> <h3> Policy 1: Block Privileged Containers </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">disallow-privileged-containers</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">Enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check-privileged</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Pod</span><span class="pi">]</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kube-system</span><span class="pi">,</span> <span class="nv">kyverno</span><span class="pi">,</span> <span class="nv">cert-manager</span><span class="pi">,</span> <span class="nv">external-secrets</span><span class="pi">,</span> <span class="nv">argocd</span><span class="pi">,</span> <span class="nv">argo-rollouts</span><span class="pi">,</span> <span class="nv">monitoring</span><span class="pi">,</span> <span class="nv">logging</span><span class="pi">,</span> <span class="nv">falco</span><span class="pi">]</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Privileged</span><span class="nv"> </span><span class="s">containers</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allowed."</span> <span class="c1"># Use anyPattern in Kyverno v1.12.x (NOT validate.any)</span> <span class="na">anyPattern</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">=(securityContext)</span><span class="pi">:</span> <span class="na">=(privileged)</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">=(securityContext)</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <blockquote> <p><strong>API change in v1.12.x:</strong> Use <code>validate.anyPattern</code> not <code>validate.any</code>. The <code>validate.any</code> syntax was removed in the 1.12 API version.</p> </blockquote> <h3> Policy 2: Require Non-Root Containers </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">require-non-root</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">Enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check-runasnonroot</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Pod</span><span class="pi">]</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kube-system</span><span class="pi">,</span> <span class="nv">kyverno</span><span class="pi">,</span> <span class="nv">cert-manager</span><span class="pi">,</span> <span class="nv">external-secrets</span><span class="pi">,</span> <span class="nv">argocd</span><span class="pi">,</span> <span class="nv">argo-rollouts</span><span class="pi">,</span> <span class="nv">monitoring</span><span class="pi">,</span> <span class="nv">logging</span><span class="pi">,</span> <span class="nv">falco</span><span class="pi">]</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Containers</span><span class="nv"> </span><span class="s">must</span><span class="nv"> </span><span class="s">run</span><span class="nv"> </span><span class="s">as</span><span class="nv"> </span><span class="s">non-root</span><span class="nv"> </span><span class="s">(runAsNonRoot:</span><span class="nv"> </span><span class="s">true)."</span> <span class="na">anyPattern</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsNonRoot</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsNonRoot</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Policy 3: Block hostPath Volumes </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">disallow-host-path</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">Enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check-hostpath</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Pod</span><span class="pi">]</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kube-system</span><span class="pi">,</span> <span class="nv">kyverno</span><span class="pi">,</span> <span class="nv">logging</span><span class="pi">,</span> <span class="nv">falco</span><span class="pi">]</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">hostPath</span><span class="nv"> </span><span class="s">volumes</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allowed."</span> <span class="na">deny</span><span class="pi">:</span> <span class="na">conditions</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">request.object.spec.volumes[].hostPath</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length(@)</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">GreaterThan</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> </code></pre> </div> <h3> Policy 4: Require Resource Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">require-resource-limits</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">Enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check-limits</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Pod</span><span class="pi">]</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kube-system</span><span class="pi">,</span> <span class="nv">kyverno</span><span class="pi">,</span> <span class="nv">cert-manager</span><span class="pi">,</span> <span class="nv">external-secrets</span><span class="pi">,</span> <span class="nv">argocd</span><span class="pi">,</span> <span class="nv">argo-rollouts</span><span class="pi">,</span> <span class="nv">monitoring</span><span class="pi">,</span> <span class="nv">logging</span><span class="pi">,</span> <span class="nv">falco</span><span class="pi">]</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CPU</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">memory</span><span class="nv"> </span><span class="s">limits</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">all</span><span class="nv"> </span><span class="s">containers."</span> <span class="na">pattern</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">?*"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">?*"</span> </code></pre> </div> <h3> Policy 5: Require Signed Images </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">require-signed-images</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">Enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Must check at admission, not retroactively</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check-image-signature</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Pod</span><span class="pi">]</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">myapp</span><span class="pi">]</span> <span class="c1"># Only enforce on application namespaces</span> <span class="na">verifyImages</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">imageReferences</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:*"</span> <span class="na">attestors</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">entries</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">keys</span><span class="pi">:</span> <span class="na">kms</span><span class="pi">:</span> <span class="s2">"</span><span class="s">awskms:///arn:aws:kms:us-east-1:206617159586:key/YOUR_KEY_ID"</span> </code></pre> </div> <h3> Kyverno Circular Deadlock — How to Fix It </h3> <p>If Kyverno's webhook configurations become corrupted (e.g., from a failed upgrade), new Kyverno pods can't start because they can't pass their own admission checks. It is a deadlock.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Symptom: Kyverno pods stuck in Pending or CrashLoopBackOff</span> <span class="c"># Error: "failed calling webhook: the server is currently unable to handle the request"</span> <span class="c"># Fix: Delete the broken webhook configs — this temporarily disables admission control</span> kubectl delete validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg kubectl delete validatingwebhookconfiguration kyverno-policy-validating-webhook-cfg kubectl delete mutatingwebhookconfiguration kyverno-resource-mutating-webhook-cfg <span class="c"># Kyverno pods can now start without passing their own webhooks</span> <span class="c"># Once running, Kyverno recreates the webhook configs automatically</span> kubectl rollout restart deployment/kyverno <span class="nt">-n</span> kyverno </code></pre> </div> <h2> Falco — Runtime Threat Detection </h2> <p>Falco operates at the Linux kernel level using eBPF probes. It monitors every system call made by every process in every container. When a pattern matches a rule, it fires an alert within milliseconds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────┐ │ HOW FALCO WORKS │ │ │ │ Kernel syscalls (open, exec, connect, read, write...) │ │ │ │ │ │ eBPF probe (kernel module or ebpf driver) │ │ ▼ │ │ Falco engine │ │ ├── Checks each syscall against rule set │ │ ├── Rule: "exec of sh in container → ALERT" │ │ └── Rule: "read /etc/shadow → ALERT" │ │ │ │ │ │ JSON alert output to stdout │ │ ▼ │ │ Fluent Bit (DaemonSet) picks up stdout │ │ │ │ │ ▼ │ │ CloudWatch Logs: /eks/cluster-name/falco │ └──────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/falco/applicationset.yaml</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://falcosecurity.github.io/charts</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">falco</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.8.7"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">driver:</span> <span class="s">kind: ebpf # Modern eBPF driver (no kernel module compilation)</span> <span class="s">falco:</span> <span class="s">json_output: true # JSON output for Fluent Bit parsing</span> <span class="s">log_stderr: true</span> <span class="s">log_level: info</span> <span class="s">falcosidekick:</span> <span class="s">enabled: false # Using Fluent Bit for log shipping instead</span> </code></pre> </div> <h3> Key Rules That Fire by Default </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Trigger</th> <th>Severity</th> </tr> </thead> <tbody> <tr> <td>Terminal shell in container</td> <td> <code>exec</code> of sh/bash/zsh in container</td> <td>WARNING</td> </tr> <tr> <td>Read sensitive file untrusted</td> <td>Read of /etc/shadow, /etc/passwd</td> <td>WARNING</td> </tr> <tr> <td>Write below root</td> <td>Any write to / or system dirs</td> <td>ERROR</td> </tr> <tr> <td>Outbound Connection Not Expected</td> <td>Container connects to unexpected IP</td> <td>NOTICE</td> </tr> <tr> <td>Privilege Escalation via setuid</td> <td>setuid/setgid syscall</td> <td>WARNING</td> </tr> <tr> <td>Modify binary dirs</td> <td>Write to /bin, /usr/bin</td> <td>ERROR</td> </tr> </tbody> </table></div> <h3> Testing Falco </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In one terminal, watch Falco logs</span> kubectl logs <span class="nt">-f</span> <span class="nt">-n</span> falco <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>falco <span class="nt">-c</span> falco | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">"Notice</span><span class="se">\|</span><span class="s2">Informational"</span> <span class="c"># In another terminal, trigger a rule</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> <span class="nt">-n</span> myapp &lt;pod-name&gt; <span class="nt">--</span> sh <span class="c"># Falco fires: "Notice A shell was spawned in a container with an attached terminal"</span> <span class="c"># (Note: distroless containers have no shell — this only works if you exec into a debug container)</span> </code></pre> </div> <h3> Custom Rule: Alert on curl/wget </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/falco/custom-rules.yaml</span> <span class="pi">-</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">Unexpected curl or wget in container</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Detect curl or wget being used in a container (potential exfiltration)</span> <span class="na">condition</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">spawned_process and</span> <span class="s">container and</span> <span class="s">proc.name in (curl, wget, python, python3) and</span> <span class="s">not proc.pname in (sh, bash)</span> <span class="na">output</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Curl/wget detected in container</span> <span class="s">(user=%user.name command=%proc.cmdline container=%container.name</span> <span class="s">image=%container.image.repository)</span> <span class="na">priority</span><span class="pi">:</span> <span class="s">WARNING</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">network</span><span class="pi">,</span> <span class="nv">mitre_exfiltration</span><span class="pi">]</span> </code></pre> </div> <h2> AWS WAF — Web Application Firewall </h2> <p>WAF sits in front of your ALB and inspects every HTTP request before it reaches your pods. This happens at the AWS network edge — your application code never sees malicious requests.</p> <h3> Terraform Module </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/waf/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_wafv2_web_acl"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region_alias}-web-acl"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="c1"># For ALB (not CloudFront)</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">allow</span> <span class="p">{}</span> <span class="c1"># Allow by default; rules below explicitly block</span> <span class="p">}</span> <span class="c1"># Rule 1: AWS Managed — Common Rule Set (OWASP Top 10)</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CommonRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Rule 2: SQL Injection protection</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesSQLiRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesSQLiRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"SQLiRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Rule 3: Known bad inputs (log4shell, Spring4Shell, etc.)</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"KnownBadInputs"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Rule 4: Rate limiting — 2000 req/5min per IP</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"RateLimitPerIP"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">rate_based_statement</span> <span class="p">{</span> <span class="nx">limit</span> <span class="p">=</span> <span class="mi">2000</span> <span class="nx">aggregate_key_type</span> <span class="p">=</span> <span class="s2">"IP"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"RateLimit"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"${var.env}-web-acl"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"web_acl_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_wafv2_web_acl</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Associating WAF with Your Ingress </h3> <p>The WAF ACL ARN is injected per-cluster via the ApplicationSet and added as an ALB annotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/ingress.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.ingress.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.fullname" .</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">alb</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTPS":443},{"HTTP":80}]'</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.ingress.certArn</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.ingress.wafAclArn</span> <span class="pi">}}</span> <span class="na">alb.ingress.kubernetes.io/wafv2-acl-arn</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.ingress.wafAclArn</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <h2> AWS GuardDuty — Threat Intelligence </h2> <p>GuardDuty operates at the AWS account level — it analyzes CloudTrail API logs, VPC Flow Logs, and DNS query logs using machine learning to identify threats.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/guardduty/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_guardduty_detector"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">datasources</span> <span class="p">{</span> <span class="nx">s3_logs</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Detect unusual S3 access patterns</span> <span class="p">}</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">audit_logs</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Monitor EKS audit logs for suspicious API calls</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">malware_protection</span> <span class="p">{</span> <span class="nx">scan_ec2_instance_with_findings</span> <span class="p">{</span> <span class="nx">ebs_volumes</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Scan EBS volumes when GuardDuty finds a threat</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> What GuardDuty Detects </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Finding Type</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><code>CryptoCurrency:EC2/BitcoinTool.B!DNS</code></td> <td>EC2 instance querying known crypto mining pools</td> </tr> <tr> <td><code>UnauthorizedAccess:IAMUser/TorIPCaller</code></td> <td>API calls originating from Tor exit nodes</td> </tr> <tr> <td><code>CredentialAccess:Kubernetes/SuccessfulAnonymousAccess</code></td> <td>Anonymous access to Kubernetes API</td> </tr> <tr> <td><code>Execution:Kubernetes/ExecInKubernetes.Medium</code></td> <td>kubectl exec into a running pod (suspicious context)</td> </tr> <tr> <td><code>Exfiltration:S3/ObjectRead.Unusual</code></td> <td>Unusual S3 read patterns suggesting data theft</td> </tr> </tbody> </table></div> <h2> Attack Scenario: All Layers in Action </h2> <p>Here's how the security layers stop a real attack:</p> <p><strong>Scenario: Attacker finds a dependency with RCE vulnerability</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Attacker discovers CVE-XXXX-1234 in one of your npm packages → Trivy: if the CVE is HIGH/CRITICAL, the build FAILS — image never pushed (Layer 1: Supply Chain) 2. If Trivy missed it (unfixed CVE) and image was pushed: Attacker triggers the RCE, gets command execution in the pod → Falco: "A shell was spawned in container myapp-abc123" Alert fires within 1 second to CloudWatch (Layer 3: Runtime Detection) → But wait — distroless has no /bin/sh to spawn Attacker needs a writable filesystem — which is also blocked (Layer 1: Distroless base) 3. Attacker tries to deploy a privileged pod to escape to the node: → Kyverno: BLOCKS the pod at admission — "Privileged containers not allowed" Pod never starts (Layer 2: Admission Control) 4. Attacker tries SQL injection via the public HTTP endpoint: → AWS WAF: blocks the request at the ALB Your pod code never executes the malicious query (Layer 4: Perimeter) 5. Attacker's stolen AWS key starts making API calls: → GuardDuty: unusual API call pattern detected Finding generated: "UnauthorizedAccess:IAMUser/AnomalousBehavior" (Layer 5: Threat Intelligence) </code></pre> </div> <h2> Summary </h2> <p>By the end of Part 8 you have:</p> <ul> <li>✅ Kyverno 3.2.6 running on all 6 clusters (compatible with k8s 1.29)</li> <li>✅ Five Kyverno policies enforcing: no privileged, no root, no hostPath, resource limits, signed images</li> <li>✅ Falco DaemonSet monitoring all syscalls with eBPF driver</li> <li>✅ Falco alerts flowing to CloudWatch via Fluent Bit</li> <li>✅ AWS WAF WebACL with OWASP Top 10, SQLi, known bad inputs, and rate limiting</li> <li>✅ GuardDuty enabled in all accounts with EKS audit log monitoring</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: AWS WAF console showing WebACL with managed rule groups and request metrics</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3mf667e3erwf3mkv8x1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3mf667e3erwf3mkv8x1.png" alt="Show in frame: The rules list showing RateLimit, SQLi, XSS, BadBots rules with Allow/Block actions." width="800" height="442"></a></p> <p><strong>SCREENSHOT: AWS GuardDuty console showing Findings summary (hopefully empty in production)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfai4xgrqdmf085twsfh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfai4xgrqdmf085twsfh.png" alt="Show in frame: The service status showing " width="800" height="445"></a></p> <p><strong>SCREENSHOT: kubectl get clusterpolicies showing all Kyverno policies as Ready</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs54gsuu1e0m2ew21jwo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs54gsuu1e0m2ew21jwo.png" alt="Show in frame: All 5 policies with READY: True and BACKGROUND: True, Mode: Enforce. Already in the appendix — take a clean terminal screenshot." width="800" height="734"></a></p> </blockquote> <p><em>Next: Part 9 — Observability: Prometheus, Grafana, Fluent Bit, and CloudWatch</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> security kubernetes devops aws Part 7: Secrets Management Matthew Wed, 29 Apr 2026 08:00:00 +0000 https://dev.to/matthewdipo/part-7-secrets-management-108k https://dev.to/matthewdipo/part-7-secrets-management-108k <h2> Part 7: Secrets Management — AWS Secrets Manager + External Secrets Operator + IRSA </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Secrets management is one of the areas where teams most commonly take shortcuts that later become security incidents. The three anti-patterns to avoid:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ieyrvjniq5vie8ybbd7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ieyrvjniq5vie8ybbd7.png" alt="IRSA Secrets Flow — How Kubernetes pods access AWS Secrets Manager without <br> static credentials using IAM Roles for Service Accounts and OIDC token <br> exchange" width="800" height="370"></a></p> <p><em>The pod never holds AWS credentials. It exchanges a short-lived Kubernetes <br> JWT (1 hour) for temporary IAM credentials via AWS STS, then ESO fetches <br> the secret and creates a Kubernetes Secret.</em></p> <ul> <li> <strong>Secrets in Git</strong> — even in a private repo, any developer with access can read them; git history preserves them forever even after deletion</li> <li> <strong>Secrets baked into images</strong> — anyone who pulls the image gets the secrets</li> <li> <strong>Secrets in Kubernetes ConfigMaps</strong> — ConfigMaps are not encrypted by default; any pod in the namespace can read them</li> </ul> <p>This pipeline uses a three-layer approach:</p> <ol> <li> <strong>AWS Secrets Manager</strong> — the source of truth; all secrets live here, encrypted with KMS</li> <li> <strong>External Secrets Operator (ESO)</strong> — a Kubernetes controller that fetches secrets from AWS and creates Kubernetes Secret objects</li> <li> <strong>IRSA (IAM Roles for Service Accounts)</strong> — pod-level AWS identity so ESO can call Secrets Manager without node-level credentials</li> </ol> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────┐ │ SECRETS FLOW │ │ │ │ AWS Secrets Manager │ │ production/myapp/db-password: "s3cr3t-v@lue" │ │ │ │ │ │ GetSecretValue (every 1h) │ │ │ Authenticated via IRSA (OIDC token → STS → temp creds) │ │ ▼ │ │ ESO Operator Pod │ │ (external-secrets namespace) │ │ │ │ │ │ Creates/updates │ │ ▼ │ │ Kubernetes Secret: myapp-db-password │ │ (myapp namespace) │ │ │ │ │ │ Mounted as env var │ │ ▼ │ │ myapp Pod: process.env.DB_PASSWORD = "s3cr3t-v@lue" │ └──────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> IRSA Deep Dive </h2> <p>IRSA (IAM Roles for Service Accounts) is the mechanism that gives individual Kubernetes pods fine-grained AWS IAM permissions without sharing credentials at the node level.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌────────────────────────────────────────────────────────────────────┐ │ HOW IRSA WORKS │ │ │ │ 1. EKS creates an OIDC provider for the cluster │ │ URL: oidc.eks.us-east-1.amazonaws.com/id/CLUSTER_ID │ │ │ │ 2. Pod's ServiceAccount is annotated: │ │ eks.amazonaws.com/role-arn: arn:aws:iam::ACCT:role/eso-role │ │ │ │ 3. EKS projects a signed OIDC JWT into the pod at: │ │ /var/run/secrets/eks.amazonaws.com/serviceaccount/token │ │ │ │ 4. ESO SDK calls sts:AssumeRoleWithWebIdentity with that token │ │ │ │ 5. AWS validates: token signed by trusted OIDC provider? │ │ sub matches trust policy condition? │ │ │ │ 6. AWS returns temporary creds (AccessKeyId + SecretKey + Token) │ │ Valid for 1 hour, then automatically expire │ │ │ │ Result: only THIS pod in THIS namespace with THIS SA can │ │ assume the role — not any other pod on the same node │ └────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Why IRSA over node-level IAM?</strong></p> <p>Node-level IAM (EC2 instance profile) gives every pod on the node the same permissions. If one pod is compromised, the attacker has the permissions of every pod on that node. IRSA scopes permissions to the exact service account — the blast radius of a compromise is just that one workload.</p> <h2> Terraform: ESO IRSA Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eso-irsa/main.tf</span> <span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"env"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"oidc_provider_arn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"oidc_provider"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="c1"># URL without https://</span> <span class="nx">variable</span> <span class="s2">"account_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Helm fullname = {release}-{chart}</span> <span class="c1"># Release name = cluster name (e.g., myapp-production-use1)</span> <span class="c1"># Chart name = myapp</span> <span class="c1"># So the SA name = myapp-production-use1-myapp</span> <span class="c1">#</span> <span class="c1"># CRITICAL: The IRSA trust policy sub claim must match this exactly.</span> <span class="c1"># Getting this wrong = ESO pods cannot assume the role = secrets don't sync.</span> <span class="nx">sa_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-myapp"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"external-secrets"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eso"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-eso"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${var.oidc_provider}:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="c1"># Must match: system:serviceaccount:{namespace}:{sa-name}</span> <span class="s2">"${var.oidc_provider}:sub"</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:${local.namespace}:${local.sa_name}"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"eso"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eso-secrets-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eso</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"SecretsManagerRead"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">,</span> <span class="s2">"secretsmanager:DescribeSecret"</span><span class="p">,</span> <span class="s2">"secretsmanager:ListSecretVersionIds"</span> <span class="p">]</span> <span class="c1"># Wildcard covers all secrets for this environment</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:secretsmanager:*:${var.account_id}:secret:${var.env}/myapp/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"role_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eso</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> Creating Secrets in AWS Secrets Manager </h2> <p>Use a structured naming convention: <code>{env}/myapp/{secret-name}</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Development secrets (dev account)</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"dev/myapp/db-password"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"dev-db-secret-here"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-dev-use1 <span class="c"># Production secrets (production account)</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"production/myapp/db-password"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"prod-super-secret-here"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># To update a secret (rotation):</span> aws secretsmanager update-secret <span class="se">\</span> <span class="nt">--secret-id</span> <span class="s2">"production/myapp/db-password"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"new-rotated-password"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># ESO picks up the new value within refreshInterval (1h default)</span> </code></pre> </div> <h2> ESO Installation via ArgoCD </h2> <p>ESO runs as a controller in the <code>external-secrets</code> namespace on every cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infrastructure/eso/applicationset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets-operator</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">list</span><span class="pi">:</span> <span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-dev-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-dev-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-staging-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eso-{{cluster}}"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">production</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://charts.external-secrets.io</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.9.13"</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">serviceAccount:</span> <span class="s">annotations:</span> <span class="s">eks.amazonaws.com/role-arn: "{{irsaRoleArn}}"</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">CreateNamespace=true</span><span class="pi">]</span> </code></pre> </div> <h2> SecretStore CRD </h2> <p>The SecretStore tells ESO where to find secrets and how to authenticate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/secretstore.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.externalSecrets.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">SecretStore</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-secrets-manager</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">aws</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="s">SecretsManager</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="c1"># Always pull from us-east-1 (single source of truth)</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">serviceAccountRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "myapp.serviceAccountName" .</span> <span class="pi">}}</span> <span class="c1"># DO NOT add namespace: field here.</span> <span class="c1"># Namespaced SecretStore rejects serviceAccountRef.namespace.</span> <span class="c1"># The SA is in the same namespace as the SecretStore.</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <blockquote> <p><strong>Lesson learned:</strong> A namespaced <code>SecretStore</code> (not <code>ClusterSecretStore</code>) will reject the config if <code>serviceAccountRef.namespace</code> is specified. The namespace is implicit — it's the same namespace as the SecretStore itself. Only <code>ClusterSecretStore</code> supports cross-namespace references.</p> </blockquote> <h2> ExternalSecret CRD </h2> <p>The ExternalSecret tells ESO which secret to fetch and what Kubernetes Secret to create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/external-secret.yaml</span> <span class="pi">{{</span><span class="nv">- if .Values.externalSecrets.enabled</span> <span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.externalSecrets.refreshInterval | default "1h"</span> <span class="pi">}}</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-secrets-manager</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">SecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-db-credentials</span> <span class="c1"># Name of the Kubernetes Secret to create</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="c1"># ESO owns this secret — it will delete it if ExternalSecret is deleted</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="c1"># Key in the Kubernetes Secret</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">production/myapp/db-password</span> <span class="c1"># Secret name in AWS Secrets Manager</span> <span class="na">property</span><span class="pi">:</span> <span class="s">password</span> <span class="c1"># JSON key within the secret value</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <h2> Helm Chart Integration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/values.yaml (defaults — disabled)</span> <span class="na">externalSecrets</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># apps/myapp/values-production.yaml</span> <span class="na">externalSecrets</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># Injected per-cluster via ApplicationSet parameter</span> <span class="c1"># apps/myapp/values-dev.yaml</span> <span class="na">externalSecrets</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::557702566877:role/myapp-dev-eso"</span> </code></pre> </div> <p>The ApplicationSet injects the correct IRSA role ARN per cluster via parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">externalSecrets.irsaRoleArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{irsaRoleArn}}"</span> </code></pre> </div> <h2> Deployment Mounting the Secret </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/myapp/templates/deployment.yaml (relevant section)</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-db-credentials</span> <span class="c1"># Created by ESO from ExternalSecret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> </code></pre> </div> <h2> Verification </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check ExternalSecret sync status</span> kubectl <span class="nt">--context</span> prod-use1 get externalsecret <span class="nt">-n</span> myapp <span class="c"># NAME STORE REFRESH INTERVAL STATUS READY</span> <span class="c"># myapp-secrets aws-secrets-manager 1h SecretSynced True</span> <span class="c"># Check the Kubernetes Secret was created</span> kubectl <span class="nt">--context</span> prod-use1 get secret myapp-db-credentials <span class="nt">-n</span> myapp <span class="c"># NAME TYPE DATA AGE</span> <span class="c"># myapp-db-credentials Opaque 1 5m</span> <span class="c"># View (base64 encoded — decode to see value)</span> kubectl <span class="nt">--context</span> prod-use1 get secret myapp-db-credentials <span class="nt">-n</span> myapp <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.DB_PASSWORD}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <blockquote> <p><strong>ArgoCD false positive:</strong> ArgoCD will show the myapp Application as <code>OutOfSync</code> even when everything is working. This is because ESO writes <code>status.refreshTime</code> to the ExternalSecret at every sync cycle. ArgoCD detects this runtime write as a diff from the Git-defined manifest. This is a known, safe false positive — the secret IS syncing correctly.</p> </blockquote> <h2> Secret Rotation </h2> <p>When you need to rotate a secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Update in AWS Secrets Manager</span> aws secretsmanager update-secret <span class="se">\</span> <span class="nt">--secret-id</span> <span class="s2">"production/myapp/db-password"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"password":"new-rotated-value"}'</span> <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># 2. ESO picks it up automatically within refreshInterval (1h)</span> <span class="c"># OR force immediate refresh:</span> kubectl <span class="nt">--context</span> prod-use1 annotate externalsecret myapp-secrets <span class="nt">-n</span> myapp <span class="se">\</span> force-sync<span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nt">--overwrite</span> <span class="c"># 3. Kubernetes Secret is updated</span> <span class="c"># 4. Pods need restart to pick up new env var value:</span> kubectl <span class="nt">--context</span> prod-use1 rollout restart deployment/myapp <span class="nt">-n</span> myapp </code></pre> </div> <h2> Grafana Admin Secret — A Real-World Lesson </h2> <p>During this build, we used <code>existingSecret: grafana-admin-secret</code> in the kube-prometheus-stack values. The secret was created with a placeholder password <code>YourStrongPassword123!</code>. Grafana initialized its SQLite database with this value when the pod first started.</p> <p>Later, the secret value was changed — but Grafana's database still had the old value. The env var <code>GF_SECURITY_ADMIN_PASSWORD</code> only sets the initial password; it cannot change an existing one.</p> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> monitoring &lt;grafana-pod&gt; <span class="nt">-c</span> grafana <span class="nt">--</span> <span class="se">\</span> grafana-cli admin reset-admin-password <span class="s1">'NewPassword!'</span> </code></pre> </div> <p><strong>Lesson:</strong> For any tool that reads credentials once at database initialization, changing the Kubernetes Secret is not enough. You must either reset via the tool's CLI or destroy and recreate the persistent volume.</p> <h2> Summary </h2> <p>By the end of Part 7 you have:</p> <ul> <li>✅ All secrets stored exclusively in AWS Secrets Manager (never in Git or images)</li> <li>✅ ESO installed on all 6 clusters via ArgoCD ApplicationSet</li> <li>✅ IRSA roles per cluster with least-privilege Secrets Manager read access</li> <li>✅ SecretStore + ExternalSecret CRDs syncing secrets into Kubernetes</li> <li>✅ Helm chart values.yaml integration with enabled/disabled toggle per environment</li> <li>✅ Secret rotation workflow (update in ASM → ESO auto-refreshes)</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: AWS Secrets Manager console showing secrets per environment</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84ffm8fa2yj6y41scd7g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84ffm8fa2yj6y41scd7g.png" alt="Show in frame: The secret names dev/myapp/db-password and production/myapp/db-password in the list. This shows the naming convention." width="800" height="442"></a></p> <p><strong>SCREENSHOT: kubectl get externalsecret showing SecretSynced: True</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnr1967wvwiz4p7euu747.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnr1967wvwiz4p7euu747.png" alt="Show in frame: Output showing STATUS: SecretSynced and READY: True. This is in the Live Data Appendix already but a terminal screenshot is more visual." width="800" height="734"></a></p> <p><strong>SCREENSHOT: ArgoCD showing ESO app as OutOfSync/Healthy (expected false positive)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu9my555e58i7uz3z02ob.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu9my555e58i7uz3z02ob.png" alt="ArgoCD showing ESO app as OutOfSync/Healthy (expected false positive" width="800" height="444"></a></p> </blockquote> <p><em>Next: Part 8 — Security Stack: Kyverno, Falco, WAF, and GuardDuty</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> githubactions devops docker kubernetes Part 6: CI/CD Pipeline Matthew Wed, 15 Apr 2026 14:00:00 +0000 https://dev.to/matthewdipo/part-6-cicd-pipeline-5fde https://dev.to/matthewdipo/part-6-cicd-pipeline-5fde <h2> Part 6: CI/CD Pipeline — GitHub Actions, Trivy, Cosign, and ECR </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>The CI/CD pipeline is the gateway between a developer's <code>git push</code> and a running container in production. Every security control that can be automated should live here — not as an afterthought but as a first-class gate that blocks bad artifacts from ever reaching a cluster.</p> <p>This pipeline enforces:</p> <ul> <li> <strong>No HIGH or CRITICAL CVEs</strong> — Trivy blocks the build before the image is pushed</li> <li> <strong>No static AWS credentials</strong> — GitHub OIDC exchanges JWT tokens for temporary STS creds</li> <li> <strong>Cryptographic image provenance</strong> — Cosign signs every image with an AWS KMS key; Kyverno verifies the signature before admitting the pod</li> <li> <strong>Immutable image tags</strong> — <code>sha-&lt;full-commit-sha&gt;</code>, never <code>:latest</code> </li> <li> <strong>Audit trail</strong> — every push is logged to S3 with digest, timestamp, and caller identity</li> </ul> <h2> The Application (myapp) </h2> <p>A minimal Node.js/Express API that represents any real production service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp/ ├── src/ │ └── index.js # Express app with /health and /metrics ├── Dockerfile ├── package.json └── .github/ └── workflows/ └── ci.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/index.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">promClient</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">prom-client</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">register</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Registry</span><span class="p">();</span> <span class="nx">promClient</span><span class="p">.</span><span class="nf">collectDefaultMetrics</span><span class="p">({</span> <span class="nx">register</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">httpRequestsTotal</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Counter</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">myapp_http_requests_total</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Total HTTP requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status_code</span><span class="dl">'</span><span class="p">],</span> <span class="na">registers</span><span class="p">:</span> <span class="p">[</span><span class="nx">register</span><span class="p">],</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">httpRequestsTotal</span><span class="p">.</span><span class="nf">inc</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">route</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">status_code</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">healthy</span><span class="dl">'</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/metrics</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="nx">register</span><span class="p">.</span><span class="nx">contentType</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="k">await</span> <span class="nx">register</span><span class="p">.</span><span class="nf">metrics</span><span class="p">());</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">8080</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listening on :8080</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <h2> Dockerfile — Distroless Nonroot </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Build dependencies</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Stage 2: Runtime — distroless (no shell, no package manager)</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/nodejs18-debian12:nonroot</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only what's needed — no node_modules dev dependencies, no source maps</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> src/ ./src/</span> <span class="k">COPY</span><span class="s"> package.json ./</span> <span class="c"># nonroot image runs as uid 65532 by default — no root, ever</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["src/index.js"]</span> </code></pre> </div> <p><strong>Why distroless?</strong><br> The <code>nonroot</code> variant contains only the Node.js runtime. There is no:</p> <ul> <li> <code>/bin/sh</code> or <code>/bin/bash</code> — an attacker with RCE cannot spawn an interactive shell</li> <li> <code>apt</code>, <code>apk</code>, <code>yum</code> — cannot install additional tools</li> <li> <code>curl</code>, <code>wget</code> — cannot exfiltrate data or download payloads</li> <li>Any other utility that would help lateral movement</li> </ul> <p>Falco still alerts on any unexpected syscalls, but the attack surface is dramatically reduced.</p> <h2> Pipeline Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlcmtteraw33w16cqrau.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlcmtteraw33w16cqrau.png" alt="GitHub Actions CI/CD Pipeline — 7 stages from git push to pods running, <br> including OIDC auth, Trivy scanning, Cosign signing, and ArgoCD GitOps <br> deployment" width="800" height="295"></a></p> <p><em>The complete pipeline: no static AWS credentials anywhere. OIDC authenticates <br> GitHub Actions to AWS. Every image is signed with Cosign before Kyverno will <br> admit it to the cluster.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────┐ │ git push → main │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Job 1: test │ npm ci + npm test │ │ └────────┬─────────┘ │ │ │ needs: test │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Job 2: scan │ trivy image → fail on HIGH/CRITICAL │ │ └────────┬─────────┘ │ │ │ needs: scan │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ Job 3: build-push-sign │ │ │ │ ├─ OIDC → assume IAM role (no static keys) │ │ │ │ ├─ docker build (distroless) │ │ │ │ ├─ push → ECR us-east-1 │ │ │ │ ├─ push → ECR us-west-2 │ │ │ │ ├─ cosign sign (AWS KMS) │ │ │ │ └─ S3 audit log │ │ │ └────────┬─────────────────────────────────────┘ │ │ │ needs: build-push-sign │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ Job 4: update-gitops │ │ │ │ └─ patch image.tag in values-*.yaml → push │ │ │ └──────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Full GitHub Actions Workflow </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY_USE1</span><span class="pi">:</span> <span class="s">206617159586.dkr.ecr.us-east-1.amazonaws.com</span> <span class="na">ECR_REGISTRY_USW2</span><span class="pi">:</span> <span class="s">206617159586.dkr.ecr.us-west-2.amazonaws.com</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">AWS_REGION_USE1</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">AWS_REGION_USW2</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Required for OIDC</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Required for gitops update commit</span> <span class="na">packages</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">18'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="na">scan</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image for scanning</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t ${{ env.IMAGE_NAME }}:scan-${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy vulnerability scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">${{ env.IMAGE_NAME }}:scan-${{ github.sha }}</span> <span class="na">format</span><span class="pi">:</span> <span class="s">table</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="c1"># Fail the pipeline on findings</span> <span class="na">severity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">HIGH,CRITICAL'</span> <span class="c1"># Only fail on HIGH and CRITICAL</span> <span class="na">ignore-unfixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Skip CVEs with no available fix</span> <span class="na">build-push-sign</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">scan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="c1"># Only push on main branch, not PRs</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image-digest-use1</span><span class="pi">:</span> <span class="s">${{ steps.push-use1.outputs.digest }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials via OIDC</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ vars.AWS_ROLE_ARN_USE1 }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USE1 }}</span> <span class="c1"># No static access keys — OIDC exchanges GitHub JWT for STS temp creds</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR us-east-1</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USE1 }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR us-west-2</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USW2 }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push to us-east-1</span> <span class="na">id</span><span class="pi">:</span> <span class="s">push-use1</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}:latest</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Copy image to us-west-2</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">docker buildx imagetools create \</span> <span class="s">--tag ${{ env.ECR_REGISTRY_USW2 }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }} \</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}@${DIGEST}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Cosign</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">sigstore/cosign-installer@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sign image with AWS KMS</span> <span class="na">env</span><span class="pi">:</span> <span class="na">COSIGN_KEY</span><span class="pi">:</span> <span class="s">${{ vars.COSIGN_KMS_KEY_ARN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">IMAGE="${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}@${DIGEST}"</span> <span class="s"># Sign the image — creates an OCI attestation artifact in ECR</span> <span class="s">cosign sign --key awskms:///${COSIGN_KEY} \</span> <span class="s">--yes \</span> <span class="s">${IMAGE}</span> <span class="s">echo "Signed: ${IMAGE}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Write S3 audit log</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)</span> <span class="s">CALLER=$(aws sts get-caller-identity --query Arn --output text)</span> <span class="s">echo "{</span> <span class="s">\"timestamp\": \"${TIMESTAMP}\",</span> <span class="s">\"repo\": \"${{ github.repository }}\",</span> <span class="s">\"sha\": \"${{ github.sha }}\",</span> <span class="s">\"digest\": \"${DIGEST}\",</span> <span class="s">\"pushed_by\": \"${CALLER}\",</span> <span class="s">\"workflow\": \"${{ github.workflow }}\",</span> <span class="s">\"run_id\": \"${{ github.run_id }}\"</span> <span class="s">}" | aws s3 cp - \</span> <span class="s">s3://${{ vars.AUDIT_BUCKET }}/ci-push-audit/${{ github.sha }}.json</span> <span class="na">update-gitops</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build-push-sign</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout myapp-gitops</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">MatthewDipo/myapp-gitops</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITOPS_PAT }}</span> <span class="na">path</span><span class="pi">:</span> <span class="s">myapp-gitops</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update image tags</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd myapp-gitops</span> <span class="s">NEW_TAG="sha-${{ github.sha }}"</span> <span class="s"># Update all environment value files</span> <span class="s">for FILE in apps/myapp/values-dev.yaml \</span> <span class="s">apps/myapp/values-staging.yaml \</span> <span class="s">apps/myapp/values-production.yaml; do</span> <span class="s">sed -i "s|tag: sha-[a-f0-9]*|tag: ${NEW_TAG}|g" $FILE</span> <span class="s">echo "Updated $FILE → ${NEW_TAG}"</span> <span class="s">done</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Commit and push</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd myapp-gitops</span> <span class="s">git config user.email "ci@github.com"</span> <span class="s">git config user.name "GitHub Actions"</span> <span class="s">git add apps/myapp/values-*.yaml</span> <span class="s">git commit -m "ci: update image tag to sha-${{ github.sha }}"</span> <span class="s">git push origin main</span> </code></pre> </div> <h2> GitHub Repository Variables (not secrets) </h2> <p>These are set in the GitHub UI under <strong>Settings → Secrets and variables → Actions → Variables</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> <th>Why not a secret?</th> </tr> </thead> <tbody> <tr> <td><code>AWS_ROLE_ARN_USE1</code></td> <td><code>arn:aws:iam::206617159586:role/myapp-dev-use1-github-ci</code></td> <td>Not sensitive — it's a role ARN, useless without the OIDC token</td> </tr> <tr> <td><code>COSIGN_KMS_KEY_ARN</code></td> <td><code>arn:aws:kms:us-east-1:206617159586:key/...</code></td> <td>Not sensitive — KMS key ID alone grants nothing</td> </tr> <tr> <td><code>AUDIT_BUCKET</code></td> <td><code>myapp-ci-audit-206617159586</code></td> <td>Not sensitive</td> </tr> </tbody> </table></div> <p>Only <code>GITOPS_PAT</code> (GitHub Personal Access Token to push to myapp-gitops) is a <strong>secret</strong>.</p> <blockquote> <p><strong>No AWS_ACCESS_KEY_ID. No AWS_SECRET_ACCESS_KEY.</strong> These should never appear in a modern CI pipeline.</p> </blockquote> <h2> Cosign Image Signing </h2> <p>Cosign attaches a cryptographic signature to the image in the same ECR repository. The signature is stored as a separate OCI artifact tagged with the image digest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ECR Repository: myapp sha-abc123def456... ← Your application image sha256-abc123def456...sig ← Cosign signature (OCI artifact) sha256-abc123def456...att ← Cosign attestation (SBOM, etc.) </code></pre> </div> <p><strong>Verification (what Kyverno does at admission time):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cosign verify <span class="se">\</span> <span class="nt">--key</span> awskms:///arn:aws:kms:us-east-1:206617159586:key/YOUR_KEY_ID <span class="se">\</span> 206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-abc123 <span class="c"># Output if valid:</span> <span class="c"># Verification for 206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-abc123</span> <span class="c"># The following checks were performed on each of these signatures:</span> <span class="c"># - The cosign claims were validated</span> <span class="c"># - The signatures were verified against the specified public key</span> </code></pre> </div> <h2> Image Naming Convention </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-&lt;full-40-char-git-sha&gt; </code></pre> </div> <p><strong>Why <code>sha-&lt;full-sha&gt;</code> and not semantic versioning?</strong></p> <ul> <li> <strong>Traceability:</strong> Given any running pod, you can run <code>git show &lt;sha&gt;</code> to see the exact commit</li> <li> <strong>Immutability:</strong> Two builds of the same SHA produce the same image (deterministic builds)</li> <li> <strong>No tag collisions:</strong> <code>v1.0.0</code> can be overwritten; a git SHA cannot</li> <li> <strong>No <code>:latest</code>:</strong> <code>:latest</code> is the devil — it means different things at different times and breaks reproducibility</li> </ul> <h2> Pre-commit Hooks </h2> <p>Before code ever reaches GitHub, pre-commit hooks catch common issues locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .pre-commit-config.yaml</span> <span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/pre-commit/pre-commit-hooks</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v4.5.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">trailing-whitespace</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">end-of-file-fixer</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check-yaml</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check-merge-conflict</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/hadolint/hadolint</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v2.12.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">hadolint-docker</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">--ignore'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">DL3006'</span><span class="pi">]</span> <span class="c1"># DL3006: always tag FROM image</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/Yelp/detect-secrets</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v1.5.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">detect-secrets</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">--baseline'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">.secrets.baseline'</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install pre-commit</span> pip <span class="nb">install </span>pre-commit pre-commit <span class="nb">install</span> <span class="c"># Run manually against all files</span> pre-commit run <span class="nt">--all-files</span> </code></pre> </div> <h2> Pipeline Security Properties </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>How Achieved</th> </tr> </thead> <tbody> <tr> <td>No secrets in Git</td> <td>detect-secrets pre-commit hook</td> </tr> <tr> <td>No secrets in CI</td> <td>OIDC replaces static AWS keys</td> </tr> <tr> <td>No HIGH/CRITICAL CVEs</td> <td>Trivy scan blocks pipeline</td> </tr> <tr> <td>No unverified images</td> <td>Kyverno admission webhook</td> </tr> <tr> <td>Immutable artifacts</td> <td>ECR <code>IMMUTABLE</code> tag mutability</td> </tr> <tr> <td>Cryptographic provenance</td> <td>Cosign + AWS KMS signing</td> </tr> <tr> <td>Full audit trail</td> <td>S3 + CloudTrail</td> </tr> <tr> <td>Reproducible builds</td> <td>Pinned base image SHA, <code>npm ci</code> </td> </tr> </tbody> </table></div> <h2> Summary </h2> <p>By the end of Part 6 you have:</p> <ul> <li>✅ A secure Dockerfile using distroless/nonroot with multi-stage build</li> <li>✅ GitHub Actions pipeline with 4 jobs: test → scan → build/push/sign → gitops update</li> <li>✅ OIDC-based AWS authentication (zero static credentials)</li> <li>✅ Trivy CVE scanning blocking HIGH/CRITICAL vulnerabilities</li> <li>✅ Cosign image signing with AWS KMS</li> <li>✅ Automatic image tag update in myapp-gitops triggering ArgoCD sync</li> <li>✅ S3 audit log for every image push</li> <li>✅ Pre-commit hooks catching issues before they reach CI</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: GitHub Actions — workflow run showing all 4 jobs passing (green checkmarks)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp8eecy972exm49fze9h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp8eecy972exm49fze9h.png" alt="Show in frame: A completed workflow run showing all 4 jobs (build-test, build-push, sign, deploy) with green checkmarks. Click into the run to show the job list." width="800" height="445"></a></p> <p><strong>SCREENSHOT: ECR repository showing images with sha- tags and scan results (no HIGH/CRITICAL)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9koskql8iqphgf5aldyt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9koskql8iqphgf5aldyt.png" alt="ECR repository showing images with sha- tags and scan results (no HIGH/CRITICAL)" width="800" height="444"></a></p> <p><strong>SCREENSHOT: GitHub Actions — Job 3 logs showing "Signed: ..." cosign output</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy44tu0l190e6wvmh5myv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy44tu0l190e6wvmh5myv.png" alt=" " width="800" height="444"></a></p> </blockquote> <p><em>Next: Part 7 — Secrets Management: AWS Secrets Manager + External Secrets Operator + IRSA</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> githubactions devops docker kubernetes Part 5: GitOps with ArgoCD Matthew Thu, 09 Apr 2026 23:50:20 +0000 https://dev.to/matthewdipo/part-5-gitops-with-argocd-4p36 https://dev.to/matthewdipo/part-5-gitops-with-argocd-4p36 <p>5: GitOps with ArgoCD — Hub-Spoke Model</p> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>GitOps flips the traditional CI/CD model. Instead of a pipeline <em>pushing</em> manifests into a cluster, the cluster <em>pulls</em> its desired state from Git. The result:</p> <ul> <li> <strong>Audit trail built-in:</strong> every cluster change is a Git commit with author, timestamp, and diff</li> <li> <strong>Self-healing:</strong> ArgoCD continuously reconciles — if someone <code>kubectl apply</code>s something manually, ArgoCD reverts it within minutes</li> <li> <strong>Rollback is <code>git revert</code>:</strong> no special tooling, no cluster access needed</li> <li> <strong>Drift detection:</strong> ArgoCD shows you exactly when a cluster diverges from what's in Git</li> </ul> <p>This pipeline uses ArgoCD in a <strong>hub-spoke</strong> topology: one ArgoCD installation on <code>myapp-production-use1</code> manages all six clusters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ ArgoCD HUB: myapp-production-use1 │ │ │ │ Watches: github.com/MatthewDipo/myapp-gitops (main branch) │ │ Manages: 6 clusters via registered cluster credentials │ │ │ │ ApplicationSets generate Applications per cluster: │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ environments/production/applicationset.yaml │ │ │ │ → prometheus-myapp-production-use1 │ │ │ │ → prometheus-myapp-production-usw2 │ │ │ │ → prometheus-myapp-staging-use1 (staging project) │ │ │ │ → prometheus-myapp-staging-usw2 │ │ │ └──────────────────────────────────────────────────────────┘ │ └────────────────────────────┬────────────────────────────────────┘ VPC Peering (private │ endpoints) ┌────────────────────────┤ │ ┌───────────────────┤ │ │ ┌──────────────┤──────────────┐ ▼ ▼ ▼ ▼ ▼ prod-usw2 staging-use1 staging-usw2 dev-use1 dev-usw2 </code></pre> </div> <p><strong>Why hub-spoke over running ArgoCD in every cluster?</strong><br> One ArgoCD = one UI, one set of secrets, one audit log. Running six ArgoCD instances means six independent control planes to maintain, upgrade, and monitor. The operational overhead multiplies linearly with clusters.</p> <h2> Step 1: Install ArgoCD on the Hub </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable public endpoint on prod-use1 for bootstrapping</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span>,publicAccessCidrs<span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="nb">sleep </span>180 <span class="c"># Wait for propagation</span> <span class="c"># Install ArgoCD</span> kubectl <span class="nt">--context</span> prod-use1 create namespace argocd helm repo add argo https://argoproj.github.io/argo-helm helm <span class="nb">install </span>argocd argo/argo-cd <span class="se">\</span> <span class="nt">--namespace</span> argocd <span class="se">\</span> <span class="nt">--version</span> 6.7.3 <span class="se">\</span> <span class="nt">--set</span> server.service.type<span class="o">=</span>LoadBalancer <span class="se">\</span> <span class="nt">--set</span> configs.params.<span class="s2">"server</span><span class="se">\.</span><span class="s2">insecure"</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--no-hooks</span> <span class="se">\</span> <span class="nt">--wait</span> <span class="nt">--timeout</span> 5m <span class="c"># Get the LoadBalancer URL</span> kubectl <span class="nt">--context</span> prod-use1 get svc <span class="nt">-n</span> argocd argocd-server <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].hostname}'</span> <span class="c"># Get initial admin password</span> kubectl <span class="nt">--context</span> prod-use1 get secret <span class="nt">-n</span> argocd argocd-initial-admin-secret <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.password}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="c"># Login via CLI</span> argocd login &lt;LB_HOSTNAME&gt; <span class="nt">--username</span> admin <span class="nt">--password</span> &lt;PASSWORD&gt; <span class="nt">--insecure</span> </code></pre> </div> <h2> Step 2: Create AppProjects </h2> <p>AppProjects define what each group of Applications is allowed to do — which source repos, which destination clusters, and which namespaces. They are the RBAC boundary in ArgoCD.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd/project-production.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Production workloads and infrastructure</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="pi">-</span> <span class="s">https://prometheus-community.github.io/helm-charts</span> <span class="pi">-</span> <span class="s">https://charts.external-secrets.io</span> <span class="pi">-</span> <span class="s">https://aws.github.io/eks-charts</span> <span class="pi">-</span> <span class="s">https://kyverno.github.io/kyverno</span> <span class="pi">-</span> <span class="s">https://falcosecurity.github.io/charts</span> <span class="pi">-</span> <span class="s">https://vmware-tanzu.github.io/helm-charts</span> <span class="pi">-</span> <span class="s">https://charts.jetstack.io</span> <span class="pi">-</span> <span class="s">https://grafana.github.io/helm-charts</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">server</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># IMPORTANT: use server: "*" not name: "*"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># ArgoCD resolves cluster name → server URL for permission checks</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> </code></pre> </div> <blockquote> <p><strong>Critical lesson:</strong> Use <code>server: "*"</code> not <code>name: "*"</code> in AppProject destinations. ArgoCD resolves cluster names to server URLs when enforcing project permissions. With <code>name: "*"</code> alone, syncs to named clusters fail with permission errors. With <code>server: "*"</code>, it works correctly.</p> </blockquote> <p>Apply all three projects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-dev.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-staging.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-production.yaml </code></pre> </div> <h2> Step 3: Add the Private GitOps Repo </h2> <p>ArgoCD needs credentials to pull from a private repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd repo add https://github.com/MatthewDipo/myapp-gitops.git <span class="se">\</span> <span class="nt">--username</span> MatthewDipo <span class="se">\</span> <span class="nt">--password</span> &lt;GITHUB_PAT&gt; <span class="se">\</span> <span class="nt">--insecure-skip-server-verification</span> <span class="c"># Verify</span> argocd repo list </code></pre> </div> <h2> Step 4: Register Spoke Clusters </h2> <p>Each spoke cluster is registered by running <code>argocd cluster add</code> with the cluster's kubeconfig context. This creates a ServiceAccount and ClusterRoleBinding in the spoke cluster that ArgoCD uses to manage resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev clusters (public endpoints — accessible directly)</span> argocd cluster add dev-use1 <span class="nt">--name</span> myapp-dev-use1 <span class="nt">--yes</span> argocd cluster add dev-usw2 <span class="nt">--name</span> myapp-dev-usw2 <span class="nt">--yes</span> <span class="c"># Private clusters — must temporarily enable public endpoint first</span> <span class="k">for </span>CLUSTER <span class="k">in </span>myapp-staging-use1 myapp-staging-usw2 myapp-production-usw2<span class="p">;</span> <span class="k">do </span><span class="nv">REGION</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"use1"</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"us-east-1"</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"us-west-2"</span><span class="si">)</span> <span class="nv">ENV</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">cut</span> <span class="nt">-d-</span> <span class="nt">-f2</span><span class="si">)</span> <span class="nv">PROFILE</span><span class="o">=</span><span class="s2">"myapp-</span><span class="k">${</span><span class="nv">ENV</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">REGION</span><span class="p">//us-east-1/use1</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">REGION</span><span class="p">//us-west-2/usw2</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Enabling public endpoint on </span><span class="nv">$CLUSTER</span><span class="s2">..."</span> aws eks update-cluster-config <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> myapp-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span>-<span class="si">$(</span><span class="nb">echo</span> <span class="nv">$REGION</span> | <span class="nb">sed</span> <span class="s1">'s/us-east-1/use1/;s/us-west-2/usw2/'</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span>,publicAccessCidrs<span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="nb">sleep </span>180 <span class="nv">CTX</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">sed</span> <span class="s1">'s/myapp-//;s/-use1/-use1/;s/-usw2/-usw2/'</span><span class="si">)</span> argocd cluster add <span class="nv">$CTX</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--yes</span> <span class="nb">echo</span> <span class="s2">"Locking </span><span class="nv">$CLUSTER</span><span class="s2"> back to private..."</span> aws eks update-cluster-config <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> myapp-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span>-<span class="si">$(</span><span class="nb">echo</span> <span class="nv">$REGION</span> | <span class="nb">sed</span> <span class="s1">'s/us-east-1/use1/;s/us-west-2/usw2/'</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">false</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true </span><span class="k">done</span> <span class="c"># Verify all clusters registered</span> argocd cluster list </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">SERVER NAME VERSION STATUS https://kubernetes.default.svc in-cluster 1.29 Successful </span><span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-dev-use1 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-dev-usw2 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-staging-use1 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-staging-usw2 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-production-usw2 1.29 Successful </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqx02fxnc4ybl2t3xltd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqx02fxnc4ybl2t3xltd.png" alt="ArgoCD Hub-Spoke GitOps Architecture — production-use1 as hub managing 5 <br> spoke clusters via VPC Peering, with dev clusters on public endpoints" width="800" height="429"></a></p> <p><em>Solid lines = VPC Peering (private). Dashed lines = public endpoints (dev only). <br> The hub cluster runs ArgoCD and manages 47 Applications across all 6 clusters.</em></p> <h2> Step 5: ApplicationSet — The Core of Hub-Spoke GitOps </h2> <p>An ApplicationSet is a controller that generates ArgoCD Applications from a template and a generator. The <strong>list generator</strong> creates one Application per element in the list — one per cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># environments/production/applicationset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-production</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">list</span><span class="pi">:</span> <span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:us-east-1:591120834781:certificate/9ab022c9-..."</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-east-1:591120834781:regional/webacl/..."</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-use1-eso"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:us-west-2:591120834781:certificate/171cac9d-..."</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-west-2:591120834781:regional/webacl/..."</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-usw2-eso"</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">myapp-production-{{cluster}}"</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">component</span><span class="pi">:</span> <span class="s">application</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">region</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{region}}"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">production</span> <span class="na">sources</span><span class="pi">:</span> <span class="c1"># Source 1: the Helm chart (from gitops repo)</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">ref</span><span class="pi">:</span> <span class="s">gitopsValues</span> <span class="c1"># Named reference — used in source 2</span> <span class="c1"># Source 2: Helm chart with values from the gitops repo</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/myapp</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">valueFiles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$gitopsValues/apps/myapp/values.yaml</span> <span class="pi">-</span> <span class="s">$gitopsValues/apps/myapp/values-production.yaml</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">image.tag"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sha-45d92fc5ffd4555caf35b996ed1eec4e45152dce"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">env.AWS_REGION"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{region}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ingress.certArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{certArn}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ingress.wafAclArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{wafAclArn}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">externalSecrets.irsaRoleArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{irsaRoleArn}}"</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Remove resources deleted from Git</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Revert manual kubectl changes</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> <span class="pi">-</span> <span class="s">ServerSideApply=true</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">limit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">backoff</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxDuration</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">factor</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <h3> Key ApplicationSet concepts: </h3> <p><strong><code>automated.prune: true</code></strong> — If you delete a file from Git, ArgoCD deletes the corresponding Kubernetes resource. Without this, deleted manifests leave orphaned resources.</p> <p><strong><code>automated.selfHeal: true</code></strong> — If someone runs <code>kubectl edit</code> and changes something, ArgoCD detects the drift and reverts it within ~3 minutes. This enforces Git as the only source of truth.</p> <p><strong><code>ServerSideApply: true</code></strong> — Required for CRDs and resources that multiple controllers manage (e.g., Prometheus operator patches its own webhook config). Without this, field ownership conflicts cause sync failures.</p> <p><strong><code>retry</code></strong> — Network blips or transient API errors shouldn't fail a deployment permanently. The retry policy handles intermittent failures automatically.</p> <h2> Step 6: Deploy the ApplicationSets </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Apply all ApplicationSets from the hub cluster</span> kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/dev/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/staging/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/production/applicationset.yaml <span class="c"># Infrastructure ApplicationSets</span> kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/eso/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/kyverno/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/falco/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/monitoring/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/logging/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/velero/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/karpenter/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/argo-rollouts/applicationset.yaml <span class="c"># Watch sync status</span> argocd app list </code></pre> </div> <h2> Sync Status and Known False Positives </h2> <p>After deploying, most apps show <code>Synced/Healthy</code>. A few will permanently show <code>OutOfSync/Healthy</code> — this is expected and safe:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>App</th> <th>Why OutOfSync</th> <th>Safe?</th> </tr> </thead> <tbody> <tr> <td>ESO (<code>external-secrets-*</code>)</td> <td>ESO writes <code>status.refreshTime</code> at runtime; ArgoCD sees this as drift</td> <td>✅ Yes</td> </tr> <tr> <td> <code>myapp-*</code> (with ESO)</td> <td>Same ESO status drift propagates to the parent app</td> <td>✅ Yes</td> </tr> <tr> <td><code>prometheus-*</code></td> <td>Prometheus operator patches its own ValidatingWebhookConfiguration at runtime</td> <td>✅ Yes</td> </tr> </tbody> </table></div> <p><strong>Real sync failures</strong> (need action):</p> <ul> <li> <code>SyncFailed</code> — usually a YAML error or missing CRD</li> <li> <code>Degraded</code> — pods crashing; check <code>kubectl describe pod</code> </li> <li> <code>Missing</code> — ArgoCD can't reach the cluster</li> </ul> <h2> Troubleshooting </h2> <p><strong>Orphaned resources after a Helm release name change:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Force prune all resources not in current Git state</span> argocd app <span class="nb">sync </span>argocd/karpenter-myapp-production-use1 <span class="nt">--prune</span> <span class="nt">--force</span> </code></pre> </div> <p><strong>App stuck in Progressing:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app get argocd/myapp-production-myapp-production-use1 <span class="c"># Check the "Conditions" and "Events" sections</span> </code></pre> </div> <p><strong>Cluster shows Unknown:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Re-register the cluster (token may have expired)</span> argocd cluster add prod-usw2 <span class="nt">--name</span> myapp-production-usw2 <span class="nt">--yes</span> </code></pre> </div> <p><strong>AppProject permission denied:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ensure project destinations include server: "*"</span> <span class="c"># Ensure sourceRepos includes the chart repo URL</span> kubectl <span class="nt">--context</span> prod-use1 edit appproject production <span class="nt">-n</span> argocd </code></pre> </div> <h2> VPC Peering for Hub → Spoke Connectivity </h2> <p>ArgoCD hub reaches spoke private endpoints via VPC peering. Three peering connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prod-use1 VPC (10.20.0.0/16) ◄──────► prod-usw2 VPC (10.21.0.0/16) prod-use1 VPC (10.20.0.0/16) ◄──────► staging-use1 VPC (10.10.0.0/16) prod-use1 VPC (10.20.0.0/16) ◄──────► staging-usw2 VPC (10.11.0.0/16) </code></pre> </div> <p>After the peering is active, ArgoCD can communicate with spoke API servers on their private IPs (<code>10.x.x.x:443</code>) without any traffic touching the internet.</p> <h2> Summary </h2> <p>By the end of Part 5 you have:</p> <ul> <li>✅ ArgoCD running on the hub cluster with a public LoadBalancer URL</li> <li>✅ Three AppProjects (dev, staging, production) with correct source and destination restrictions</li> <li>✅ All 5 spoke clusters registered (ArgoCD SA + ClusterRoleBinding installed in each)</li> <li>✅ ApplicationSets generating Applications for all environments and infrastructure components</li> <li>✅ GitOps loop closed: a commit to <code>myapp-gitops</code> triggers automatic sync to all clusters</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: ArgoCD UI — Applications view showing all apps, most Synced/Healthy</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk62osg4qfx71l3zlnim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk62osg4qfx71l3zlnim.png" alt="Applications view" width="800" height="444"></a>## Part<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5h35ndmkjns6nx7zittk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5h35ndmkjns6nx7zittk.png" alt="Applications view" width="800" height="444"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful8wrc5q11xqapyvpkcn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful8wrc5q11xqapyvpkcn.png" alt="Applications view" width="800" height="443"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguld8zxneyw3qvv19dyf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguld8zxneyw3qvv19dyf.png" alt="Applications view" width="800" height="444"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldjo262ufhw8v7gpm1l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldjo262ufhw8v7gpm1l.png" alt="Applications view" width="800" height="443"></a></p> <p><strong>SCREENSHOT: ArgoCD UI — Cluster list showing all 6 clusters registered and Successful</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbxyl1gli84tvj3irpki.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbxyl1gli84tvj3irpki.png" alt="Show in frame: All 6 cluster entries with status Successful, showing cluster names and server URLs." width="800" height="441"></a></p> <p><strong>SCREENSHOT: ArgoCD UI — One Application detail view showing resource tree</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6fswzlu2dqis9oi8kjj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6fswzlu2dqis9oi8kjj.png" alt="Show in frame: The resource tree showing Rollout → ReplicaSet → Pods, Service, Ingress, HPA, ExternalSecret all connected." width="800" height="447"></a></p> <p><strong>SCREENSHOT: GitOps Repo Structure on GitHub</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw08qoe1mq8y9sag5nqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw08qoe1mq8y9sag5nqv.png" alt="Show in frame: The folder tree showing environments/, infrastructure/, argocd/ with subfolders expanded." width="800" height="444"></a></p> </blockquote> <p><em>Next: Part 6 — CI/CD Pipeline: GitHub Actions, Trivy, Cosign, ECR</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> kubernetes devops gitops cloud Part 4: EKS Multi-Cluster Setup Matthew Wed, 01 Apr 2026 13:00:00 +0000 https://dev.to/matthewdipo/part-4-eks-multi-cluster-setup-2i3m https://dev.to/matthewdipo/part-4-eks-multi-cluster-setup-2i3m <h2> Part 4: EKS Multi-Cluster Setup — Six Clusters Across Two Regions </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Why six clusters instead of one? The answer is isolation and resilience:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────────┐ │ ONE CLUSTER (anti-pattern) │ │ │ │ Dev pods → same etcd as Production pods │ │ A misconfigured dev deployment can consume all cluster resources │ │ Cluster upgrade = every environment goes down simultaneously │ │ Cost visibility: impossible to attribute spend per environment │ └──────────────────────────────────────────────────────────────────────────┘ ┌────────────────────────────────────────────────────────────────────────────┐ │ SIX CLUSTERS (this guide) │ │ │ │ myapp-dev-use1 (us-east-1, public endpoint, 2 nodes) │ │ myapp-dev-usw2 (us-west-2, public endpoint, 2 nodes) │ │ myapp-staging-use1 (us-east-1, private endpoint, 2 nodes) │ │ myapp-staging-usw2 (us-west-2, private endpoint, 2 nodes) │ │ myapp-production-use1 (us-east-1, private endpoint, 2+ nodes + Karpenter) │ │ myapp-production-usw2 (us-west-2, private endpoint, 2+ nodes + Karpenter) │ │ │ │ Benefits: │ │ ✓ Complete IAM isolation between environments │ │ ✓ Production upgrade independent of dev │ │ ✓ Regional failover — us-east-1 outage → us-west-2 serves traffic │ │ ✓ Clear cost attribution per cluster tag │ └────────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Cluster Overview </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cluster</th> <th>Region</th> <th>Endpoint</th> <th>Nodes</th> <th>Karpenter</th> </tr> </thead> <tbody> <tr> <td><code>myapp-dev-use1</code></td> <td>us-east-1</td> <td>Public</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-dev-usw2</code></td> <td>us-west-2</td> <td>Public</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-staging-use1</code></td> <td>us-east-1</td> <td>Private</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-staging-usw2</code></td> <td>us-west-2</td> <td>Private</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-production-use1</code></td> <td>us-east-1</td> <td>Private</td> <td>2+ × t3.medium</td> <td>Yes</td> </tr> <tr> <td><code>myapp-production-usw2</code></td> <td>us-west-2</td> <td>Private</td> <td>2+ × t3.medium</td> <td>Yes</td> </tr> </tbody> </table></div> <h2> EKS Terraform Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/main.tf</span> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Nodes always in private subnets</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Endpoint access: private always on, public only for dev</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="nx">cluster_endpoint_public_access_cidrs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="err">?</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="err">:</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># Note: AWS rejects empty list when public is disabled — always set to 0.0.0.0/0</span> <span class="c1"># Without this the cluster creator IAM role (your Terragrunt role) can't kubectl</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Encrypt Kubernetes secrets in etcd with KMS</span> <span class="nx">cluster_encryption_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_key_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># EKS managed add-ons (AWS manages patching)</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc_cni_irsa</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="nx">aws-ebs-csi-driver</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ebs_csi_irsa</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_types</span> <span class="c1"># ["t3.medium"]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_nodes</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_nodes</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">desired_nodes</span> <span class="c1"># IMPORTANT: name_prefix has a 38 character limit.</span> <span class="c1"># "myapp-production-use1-eks-node-group-" = 39 chars → FAILS.</span> <span class="c1"># Fix: use explicit role name (IAM limit is 64 chars).</span> <span class="nx">iam_role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-node-group"</span> <span class="nx">iam_role_use_name_prefix</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Nodes need these policies to pull from ECR, write to CloudWatch, etc.</span> <span class="nx">iam_role_additional_policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AmazonSSMManagedInstanceCore</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"node-type"</span> <span class="p">=</span> <span class="s2">"general"</span> <span class="p">}</span> <span class="c1"># Karpenter discovery tag — only needed on production node groups</span> <span class="c1"># (Karpenter uses this to find the right security group)</span> <span class="nx">taints</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">karpenter_enabled</span> <span class="err">?</span> <span class="p">[]</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Node security group — allow Karpenter to manage nodes</span> <span class="nx">node_security_group_tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">karpenter_enabled</span> <span class="err">?</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">}</span> <span class="c1"># IRSA for VPC CNI (pod networking)</span> <span class="nx">module</span> <span class="s2">"vpc_cni_irsa"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-vpc-cni"</span> <span class="nx">attach_vpc_cni_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_cni_enable_ipv4</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kube-system:aws-node"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IRSA for EBS CSI Driver (persistent volumes)</span> <span class="nx">module</span> <span class="s2">"ebs_csi_irsa"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-ebs-csi"</span> <span class="nx">attach_ebs_csi_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kube-system:ebs-csi-controller-sa"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/outputs.tf</span> <span class="nx">output</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cluster_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cluster_certificate_authority_data"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"oidc_provider_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"oidc_provider"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"node_security_group_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">node_security_group_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"node_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="p">}</span> </code></pre> </div> <h2> Per-Environment Terragrunt Configs </h2> <p><strong>Dev (public endpoint):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/dev/us-east-1/eks/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/eks"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-mock"</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"subnet-mock1"</span><span class="p">,</span> <span class="s2">"subnet-mock2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"kms"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../kms"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">key_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:kms:us-east-1:123456789:key/mock"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-dev-use1"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_arn</span> <span class="nx">public_api</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Dev gets public endpoint for laptop + CI access</span> <span class="nx">min_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_nodes</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">desired_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">karpenter_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p><strong>Production (private endpoint + Karpenter):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/eks/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/eks"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../vpc"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"kms"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../kms"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_arn</span> <span class="nx">public_api</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Private endpoint only — no public internet access</span> <span class="nx">min_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_nodes</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">desired_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">karpenter_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Karpenter manages additional nodes beyond the initial 2</span> <span class="p">}</span> </code></pre> </div> <h2> Bootstrapping Private Clusters </h2> <p>Staging and production clusters have <code>endpointPublicAccess: false</code>. This means <code>kubectl</code> from your laptop or CI cannot reach the API server directly. You must temporarily enable public access, bootstrap the cluster (install ArgoCD, register spokes, etc.), then lock it back down.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Temporarily enable public access</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="se">\</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,<span class="se">\</span> <span class="nv">endpointPrivateAccess</span><span class="o">=</span><span class="nb">true</span>,<span class="se">\</span> <span class="nv">publicAccessCidrs</span><span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="c"># Step 2: Wait 3 minutes — AWS takes time to update the Elastic Network Interfaces</span> <span class="nb">sleep </span>180 <span class="c"># Step 3: Verify access</span> kubectl <span class="nt">--context</span> prod-use1 get nodes <span class="c"># Step 4: Bootstrap (install ArgoCD, apply ApplicationSets, etc.)</span> <span class="c"># ... your bootstrap commands ...</span> <span class="c"># Step 5: Lock back to private-only</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="se">\</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">false</span>,<span class="se">\</span> <span class="nv">endpointPrivateAccess</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <blockquote> <p><strong>Do not forget Step 5.</strong> A production cluster with a public API endpoint is a security risk — the API server is internet-accessible, relying solely on authentication for protection.</p> </blockquote> <h2> kubectl Context Setup </h2> <p>After <code>terragrunt apply</code> completes for each cluster, add it to your kubeconfig:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update kubeconfig for all 6 clusters</span> aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-dev-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> dev-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-dev-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-dev-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> dev-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-dev-usw2 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-staging-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> staging-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-staging-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-staging-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> staging-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-staging-usw2 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> prod-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-production-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> prod-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-usw2 <span class="c"># Verify</span> kubectl config get-contexts </code></pre> </div> <h2> EKS Add-ons </h2> <p>EKS managed add-ons are maintained by AWS — they patch security vulnerabilities in CoreDNS, kube-proxy, and vpc-cni without you having to manage Helm releases.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kube-proxy — handles iptables rules for Service routing coredns — in-cluster DNS resolution vpc-cni — AWS VPC networking for pods (each pod gets a real VPC IP) aws-ebs-csi-driver — allows EKS to provision EBS volumes for PersistentVolumeClaims </code></pre> </div> <p><strong>Why IRSA for vpc-cni and ebs-csi?</strong><br> These add-ons need to call AWS APIs (EC2 for ENI management, EC2 for EBS volume ops). Without IRSA they would use the node's EC2 instance profile — giving every pod on the node those permissions. With IRSA, only the specific add-on service account has the permissions.</p> <h2> Fixing kubectl 401 Errors </h2> <p>If <code>kubectl get nodes</code> returns HTTP 401 Unauthorized, the IAM role you're using is not in the cluster's access entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List current access entries</span> aws eks list-access-entries <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># If your OrganizationAccountAccessRole is missing, add it:</span> <span class="nv">ROLE_ARN</span><span class="o">=</span><span class="s2">"arn:aws:iam::591120834781:role/OrganizationAccountAccessRole"</span> aws eks create-access-entry <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--principal-arn</span> <span class="nv">$ROLE_ARN</span> aws eks associate-access-policy <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--principal-arn</span> <span class="nv">$ROLE_ARN</span> <span class="se">\</span> <span class="nt">--policy-arn</span> arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy <span class="se">\</span> <span class="nt">--access-scope</span> <span class="nb">type</span><span class="o">=</span>cluster </code></pre> </div> <blockquote> <p>The root cause: <code>enable_cluster_creator_admin_permissions = true</code> must be explicitly set in the EKS module. If it's missing, Terraform creates the cluster but the IAM role that ran Terraform doesn't get an access entry.</p> </blockquote> <h2> AWS Load Balancer Controller </h2> <p>The AWS Load Balancer Controller (LBC) runs in every cluster and watches for Ingress resources with <code>ingressClassName: alb</code>. When it sees one, it provisions an Application Load Balancer in AWS automatically.</p> <p>Install via Helm (or ArgoCD) after the cluster is up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># IRSA for LBC</span> eksctl create iamserviceaccount <span class="se">\</span> <span class="nt">--cluster</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--name</span> aws-load-balancer-controller <span class="se">\</span> <span class="nt">--attach-policy-arn</span> arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess <span class="se">\</span> <span class="nt">--override-existing-serviceaccounts</span> <span class="se">\</span> <span class="nt">--approve</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># Install controller</span> helm repo add eks https://aws.github.io/eks-charts helm <span class="nb">install </span>aws-load-balancer-controller eks/aws-load-balancer-controller <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">--set</span> <span class="nv">clusterName</span><span class="o">=</span>myapp-production-use1 <span class="se">\</span> <span class="nt">--set</span> serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.name<span class="o">=</span>aws-load-balancer-controller <span class="se">\</span> <span class="nt">--set</span> <span class="nv">region</span><span class="o">=</span>us-east-1 <span class="se">\</span> <span class="nt">--set</span> <span class="nv">vpcId</span><span class="o">=</span>&lt;VPC_ID&gt; </code></pre> </div> <p>In this pipeline, the LBC is deployed via ArgoCD ApplicationSet — the Helm release is version-controlled in <code>myapp-gitops/infrastructure/aws-lbc/</code>.</p> <h2> StorageClass for EBS PVCs </h2> <p>kube-prometheus-stack needs persistent storage for Prometheus and Grafana data. With the EBS CSI driver installed, create a StorageClass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">storageclass.kubernetes.io/is-default-class</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">ebs.csi.aws.com</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> <span class="c1"># Don't provision until pod is scheduled</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="c1"># Don't delete EBS volume if PVC is deleted</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">encrypted</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">kmsKeyId</span><span class="pi">:</span> <span class="s">&lt;your-kms-key-arn&gt;</span> </code></pre> </div> <h2> Node Security Group Tags </h2> <p>For Karpenter to manage node lifecycles, it needs to find the cluster's node security group. Tag it during EKS creation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">node_security_group_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <p>Similarly, private subnets need the discovery tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">private_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <h2> Verifying All Six Clusters </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>CTX <span class="k">in </span>dev-use1 dev-usw2 staging-use1 staging-usw2 prod-use1 prod-usw2<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"=== </span><span class="nv">$CTX</span><span class="s2"> ==="</span> kubectl <span class="nt">--context</span> <span class="nv">$CTX</span> get nodes <span class="nt">-o</span> wide <span class="k">done</span> </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">=== dev-use1 === NAME STATUS ROLES AGE VERSION </span><span class="gp">ip-10-0-8-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="gp">ip-10-0-16-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="go"> === prod-use1 === NAME STATUS ROLES AGE VERSION </span><span class="gp">ip-10-20-8-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="gp">ip-10-20-16-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 </code></pre> </div> <h2> Summary </h2> <p>By the end of Part 4 you have:</p> <ul> <li>✅ Six EKS clusters (Kubernetes 1.29) across three environments and two regions</li> <li>✅ Private endpoints on staging and production (public on dev)</li> <li>✅ KMS encryption for Kubernetes secrets in etcd</li> <li>✅ IAM IRSA for VPC CNI and EBS CSI add-ons</li> <li>✅ AWS Load Balancer Controller installed</li> <li>✅ kubectl contexts configured for all six clusters</li> <li>✅ Karpenter discovery tags on production node security groups and subnets</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: AWS EKS console showing 2 clusters running in production with ACTIVE status</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlriaib1dnv6lg8xvsaj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlriaib1dnv6lg8xvsaj.png" alt="AWS EKS console showing 2 clusters running in production with ACTIVE status" width="800" height="443"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5n9ggmwhiy27xdg2puo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5n9ggmwhiy27xdg2puo.png" alt="AWS EKS console showing 2 clusters running in production with ACTIVE status" width="800" height="442"></a></p> <p><strong>SCREENSHOT: kubectl get nodes output for all 6 clusters</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nsb4n1jnm1bz2cfrb55.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nsb4n1jnm1bz2cfrb55.png" alt="kubectl get nodes output for all 6 clusters" width="800" height="733"></a></p> </blockquote> <p><em>Next: Part 5 — GitOps with ArgoCD: Hub-Spoke Model</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> kubernetes aws devops cloud Part 3: Infrastructure as Code Matthew Wed, 25 Mar 2026 08:00:00 +0000 https://dev.to/matthewdipo/part-3-infrastructure-as-code-2o86 https://dev.to/matthewdipo/part-3-infrastructure-as-code-2o86 <h2> Part 3: Infrastructure as Code — Terraform Modules + Terragrunt </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Plain Terraform works fine for a single environment. But this pipeline has 6 clusters across 3 environments and 2 regions — 18+ Terragrunt child directories. Without a DRY strategy, you end up copy-pasting the same <code>provider</code>, <code>backend</code>, and <code>module</code> blocks everywhere, and a single account ID change means updating 18 files.</p> <p>Terragrunt solves this with two mechanisms:</p> <ul> <li> <strong><code>include</code></strong> — child configs inherit the root config's provider generation and remote state</li> <li> <strong><code>dependency</code></strong> — explicit ordering ensures VPC exists before EKS, KMS before EKS, etc.</li> </ul> <p>The result: each child <code>terragrunt.hcl</code> is typically 10–30 lines of pure inputs, with all boilerplate generated automatically.</p> <h2> Repository Layout </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp-infra/ ├── _modules/ # Reusable Terraform modules (no Terragrunt here) │ ├── vpc/ │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── eks/ │ ├── kms/ │ ├── iam/ │ ├── ecr/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ │ └── live/ # Terragrunt wrappers — one dir per resource per env/region ├── terragrunt.hcl # ROOT config (provider + backend generation) ├── dev/ │ ├── us-east-1/ │ │ ├── vpc/ │ │ │ └── terragrunt.hcl │ │ ├── kms/ │ │ │ └── terragrunt.hcl │ │ ├── eks/ │ │ │ └── terragrunt.hcl │ │ └── iam/ │ │ └── terragrunt.hcl │ └── us-west-2/ │ └── ... (mirror) ├── staging/ │ └── ... └── production/ └── ... </code></pre> </div> <p><strong>Key principle:</strong> modules in <code>_modules/</code> are pure Terraform — no Terragrunt, no state config, no provider config. They are just reusable building blocks. The <code>live/</code> tree contains nothing but thin Terragrunt wrappers that call those modules with environment-specific values.</p> <h2> Dependency Ordering </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ APPLY ORDER (Terragrunt resolves this from dependency graph)│ │ │ │ 1. kms (no dependencies) │ │ 2. vpc (no dependencies) │ │ 3. eks (depends on: vpc, kms) │ │ 4. iam (depends on: eks — needs OIDC provider URL)│ │ 5. eso-irsa (depends on: eks, iam) │ │ 6. fluent-bit-irsa (depends on: eks) │ │ 7. karpenter (depends on: eks, iam) │ │ 8. velero (depends on: eks) │ │ 9. waf (no dependencies) │ │ 10. guardduty (no dependencies) │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Run everything in order automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>live/production/us-east-1 terragrunt run-all apply </code></pre> </div> <p>Terragrunt reads all <code>dependency</code> blocks, builds a DAG, and applies in the correct order.</p> <h2> Root Terragrunt Config </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/terragrunt.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">path_parts</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">path_relative_to_include</span><span class="p">())</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># dev | staging | production</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># us-east-1 | us-west-2</span> <span class="nx">account_ids</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">=</span> <span class="s2">"557702566877"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"YOUR_STAGING_ACCOUNT_ID"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="p">}</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="c1"># Region short alias for naming (avoids long names hitting IAM limits)</span> <span class="nx">region_alias</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region</span> <span class="p">==</span> <span class="s2">"us-east-1"</span> <span class="err">?</span> <span class="s2">"use1"</span> <span class="err">:</span> <span class="s2">"usw2"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-${local.env}-${local.region_alias}"</span> <span class="p">}</span> <span class="c1"># Auto-generate provider.tf in every child directory</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.region}" assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole" } default_tags { tags = { Environment = "${local.env}" Region = "${local.region}" ManagedBy = "Terraform" Project = "myapp" Cluster = "${local.cluster_name}" } } } </span><span class="no"> EOF </span><span class="p">}</span> <span class="c1"># Auto-generate backend.tf — per-module state file in S3</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-${local.account_id}"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="c1"># State always in us-east-1 regardless of resource region</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Module </h2> <p>The VPC is the network foundation everything else sits in. Each environment gets its own VPC per region — 6 VPCs total.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CIDR allocation: dev us-east-1: 10.0.0.0/16 dev us-west-2: 10.1.0.0/16 staging us-east-1: 10.10.0.0/16 staging us-west-2: 10.11.0.0/16 prod us-east-1: 10.20.0.0/16 prod us-west-2: 10.21.0.0/16 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/vpc/main.tf</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${var.region}a"</span><span class="p">,</span> <span class="s2">"${var.region}b"</span><span class="p">,</span> <span class="s2">"${var.region}c"</span> <span class="p">]</span> <span class="c1"># Public subnets — for NAT Gateways, Internet-facing ALBs</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="c1"># x.x.0.0/24</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="c1"># x.x.1.0/24</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="c1"># x.x.2.0/24</span> <span class="p">]</span> <span class="c1"># Private subnets — EKS nodes, RDS, ElastiCache</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="c1"># x.x.8.0/21 (2048 IPs)</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="c1"># x.x.16.0/21</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="c1"># x.x.24.0/21</span> <span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">single_nat_gateway</span> <span class="c1"># true for dev (cost), false for prod (HA)</span> <span class="nx">enable_vpn_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Required tags for AWS Load Balancer Controller to discover subnets</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/${var.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/${var.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="c1"># Karpenter node discovery</span> <span class="p">}</span> <span class="c1"># VPC Flow Logs for network traffic auditing</span> <span class="nx">enable_flow_log</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_flow_log_cloudwatch_log_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_flow_log_cloudwatch_iam_role</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">flow_log_max_aggregation_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/vpc/outputs.tf</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_cidr_block"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_cidr_block</span> <span class="p">}</span> </code></pre> </div> <p><strong>Terragrunt child config:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/vpc/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/vpc"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.20.0.0/16"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># HA: one NAT GW per AZ</span> <span class="p">}</span> </code></pre> </div> <h2> KMS Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/kms/main.tf</span> <span class="c1"># Handle the AWSServiceRoleForAutoScaling chicken-and-egg problem.</span> <span class="c1"># In a fresh account this SLR doesn't exist yet, so we optionally create it.</span> <span class="nx">resource</span> <span class="s2">"aws_iam_service_linked_role"</span> <span class="s2">"autoscaling"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_autoscaling_slr</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">aws_service_name</span> <span class="p">=</span> <span class="s2">"autoscaling.amazonaws.com"</span> <span class="p">}</span> <span class="c1"># Wait 10s for IAM to propagate before referencing it in KMS key policy</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"wait_for_slr"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_autoscaling_slr</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_service_linked_role</span><span class="p">.</span><span class="nx">autoscaling</span><span class="p">]</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"sleep 10"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">wait_for_slr</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region}-main"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"RootFullAccess"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"kms:*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AutoScalingSLR"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:CreateGrant"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/${var.env}-${var.region_alias}-main"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Critical lesson:</strong> <code>AWSServiceRoleForAutoScaling</code> is an account-scoped IAM entity, not region-scoped. If you're deploying to two regions in the same account, only the <strong>first region</strong> should set <code>create_autoscaling_slr = true</code>. The second region's KMS config uses <code>create_autoscaling_slr = false</code> because the SLR already exists from the first apply.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/kms/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/kms"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">region_alias</span> <span class="p">=</span> <span class="s2">"use1"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="nx">create_autoscaling_slr</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Already created by us-west-2 first apply</span> <span class="p">}</span> </code></pre> </div> <h2> EKS Module (overview — full detail in Part 4) </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/main.tf (abbreviated)</span> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Private endpoint — spokes only; dev gets public too</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="c1"># Must be explicit — without this the creator role can't kubectl</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_encryption_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_key_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="c1"># Workaround: name_prefix is limited to 38 chars.</span> <span class="c1"># Long cluster names (staging, production) overflow this limit.</span> <span class="c1"># Using explicit name bypasses the prefix (IAM name limit is 64 chars).</span> <span class="nx">iam_role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-node-group"</span> <span class="nx">iam_role_use_name_prefix</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Peering (for ArgoCD hub-spoke) </h2> <p>ArgoCD on <code>myapp-production-use1</code> needs to reach the private API endpoints of the 5 spoke clusters. VPC peering provides private connectivity without internet traversal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► prod-usw2 (10.21.0.0/16) prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► staging-use1 (10.10.0.0/16) prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► staging-usw2 (10.11.0.0/16) </code></pre> </div> <blockquote> <p>Dev clusters use public endpoints — no VPC peering needed.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/vpc-peering/terragrunt.hcl</span> <span class="c1"># NOTE: vpc-peering configs CANNOT use include "root" with remote_state.</span> <span class="c1"># They must define remote_state explicitly because the generate label</span> <span class="c1"># conflicts with the parent. Define it inline instead.</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-591120834781"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"production/us-east-1/vpc-peering/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "us-east-1" assume_role { role_arn = "arn:aws:iam::591120834781:role/OrganizationAccountAccessRole" } } # Peer VPC is in the staging account — needs its own provider alias provider "aws" { alias = "staging" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::STAGING_ACCOUNT_ID:role/OrganizationAccountAccessRole" } } </span><span class="no"> EOF </span><span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">requester_vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">prod_use1_vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">accepter_vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">staging_use1_vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="c1"># ... route table IDs, CIDR blocks, etc.</span> <span class="p">}</span> </code></pre> </div> <h2> Running the Stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># First apply: production us-east-1 (this region creates the AutoScaling SLR)</span> <span class="nb">cd </span>live/production/us-west-2 terragrunt run-all apply <span class="nt">--terragrunt-non-interactive</span> <span class="c"># Second: production us-east-1 (SLR already exists, create_autoscaling_slr=false)</span> <span class="nb">cd </span>live/production/us-east-1 terragrunt run-all apply <span class="nt">--terragrunt-non-interactive</span> <span class="c"># Check what changed before applying</span> <span class="nb">cd </span>live/staging/us-east-1 terragrunt run-all plan <span class="c"># Destroy a specific module (e.g., for re-creating)</span> <span class="nb">cd </span>live/dev/us-east-1/eks terragrunt destroy </code></pre> </div> <h2> State Management Best Practices </h2> <p>Each module has its own state file: <code>{env}/{region}/{module}/terraform.tfstate</code>.</p> <p><strong>Why not one big state file?</strong></p> <ul> <li>A corrupt or locked state file affects only one module, not the entire environment</li> <li> <code>terraform plan</code> on EKS doesn't load/lock VPC state — faster, safer</li> <li>Different engineers can work on different modules concurrently</li> </ul> <p><strong>State file key examples:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>production/us-east-1/vpc/terraform.tfstate production/us-east-1/eks/terraform.tfstate production/us-east-1/iam/terraform.tfstate production/us-west-2/vpc/terraform.tfstate </code></pre> </div> <h2> Common Pitfalls </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Symptom</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>AutoScaling SLR doesn't exist</td> <td> <code>MalformedPolicyDocumentException</code> on KMS create</td> <td>Set <code>create_autoscaling_slr = true</code> in first region; <code>false</code> in subsequent</td> </tr> <tr> <td>IAM name_prefix &gt; 38 chars</td> <td> <code>ValidationError: name_prefix</code> on node group create</td> <td>Use <code>iam_role_name</code> + <code>iam_role_use_name_prefix = false</code> </td> </tr> <tr> <td>VPC peering uses <code>include "root"</code> </td> <td> <code>generate label already defined</code> error</td> <td>Define <code>remote_state</code> block explicitly in vpc-peering configs</td> </tr> <tr> <td>AWS SG description has Unicode</td> <td> <code>Invalid description</code> on security group</td> <td>Use plain ASCII only in SG descriptions — no arrows (→) or greater-than (&gt;)</td> </tr> </tbody> </table></div> <h2> Summary </h2> <p>By the end of Part 3 you have:</p> <ul> <li>✅ DRY Terragrunt root config (provider + backend auto-generated from path)</li> <li>✅ VPC module with public/private subnets, NAT gateways, flow logs</li> <li>✅ KMS module handling the AutoScaling SLR chicken-and-egg problem</li> <li>✅ Dependency graph ensuring correct apply order</li> <li>✅ Per-module S3 state isolation</li> <li>✅ VPC peering between production hub and all spoke VPCs</li> </ul> <p><em>Next: Part 4 — EKS Multi-Cluster: Six Clusters Across Two Regions</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> terraform devops aws infrastructureascode Part 2: AWS Foundation Matthew Wed, 18 Mar 2026 09:00:00 +0000 https://dev.to/matthewdipo/part-2-aws-foundation-m5o https://dev.to/matthewdipo/part-2-aws-foundation-m5o <h2> Part 2: AWS Foundation — Organizations, SSO, and Account Setup </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>The foundation of any serious AWS deployment is a well-structured multi-account setup. Running everything in one AWS account is the equivalent of putting all your files on a single server with no access controls — the blast radius of any mistake or breach is your entire infrastructure.</p> <p>In this part we set up AWS Organizations with four accounts, configure AWS IAM Identity Center (SSO) for human access, and establish the IAM trust relationships that allow GitHub Actions to deploy to our clusters without static credentials.</p> <h2> Why Multi-Account? </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ SINGLE ACCOUNT (anti-pattern) │ │ │ │ Dev workloads ─────────────────────────────┐ │ │ Staging workloads ─────────────────────────┤── Same IAM boundary │ │ Production workloads ──────────────────────┘ Same VPC space │ │ Same billing │ │ Risk: dev engineer accidentally deletes production RDS │ │ Risk: security incident in dev reaches production secrets │ └─────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────┐ │ MULTI-ACCOUNT (this guide) │ │ │ │ Dev Account: strong IAM isolation, cheap instance sizes │ │ Staging Account: production-like, but no real data │ │ Production Account: SCPs block destructive operations │ │ Management Account: no workloads, only ECR + SSO + billing │ │ │ │ Benefit: IAM permissions are account-scoped │ │ Benefit: Service Control Policies (SCPs) protect production │ │ Benefit: Separate billing per environment │ │ Benefit: VPC IP space per account (no CIDR conflicts) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Step 1: Create AWS Organizations </h2> <p>Log in to your root AWS account (the one you used to sign up for AWS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → AWS Organizations → Create Organization </code></pre> </div> <p>AWS Organizations gives you a single management pane for all accounts, consolidated billing, and — crucially — Service Control Policies (SCPs) that act as guardrails even for account root users.</p> <p>After creating the organization, note your <strong>Organization ID</strong> (format: <code>o-xxxxxxxxxx</code>).</p> <h2> Step 2: Create Member Accounts </h2> <p>Navigate to <strong>AWS Organizations → AWS Accounts → Add an AWS Account</strong>.</p> <p>Create three accounts:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Account Name</th> <th>Purpose</th> <th>Example ID</th> </tr> </thead> <tbody> <tr> <td><code>myapp-dev</code></td> <td>Development environment</td> <td><code>557702566877</code></td> </tr> <tr> <td><code>myapp-staging</code></td> <td>Staging environment</td> <td>(your value)</td> </tr> <tr> <td><code>myapp-production</code></td> <td>Production environment</td> <td><code>591120834781</code></td> </tr> </tbody> </table></div> <blockquote> <p><strong>Important:</strong> Use <code>+</code> email aliases to reuse your existing email. If your email is <code>you@gmail.com</code>, use <code>you+aws-dev@gmail.com</code>, <code>you+aws-staging@gmail.com</code>, etc. Gmail (and most providers) deliver these to the same inbox.</p> <p><strong>Tip:</strong> Record each account ID immediately. You will reference them throughout this series.</p> <p><strong>SCREENSHOT: AWS Organizations showing all 4 accounts in their OUs</strong></p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fri4vrvqinuo5ejw3lgpx.png" alt="AWS Organizations showing all 4 accounts in their OUs" width="800" height="427"> </h2> </blockquote> <h2> Step 3: Organize Accounts into OUs </h2> <p>Organizational Units (OUs) let you apply different SCPs to groups of accounts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → AWS Organizations → AWS Accounts → Root Create OUs: Root ├── Management (leave root account here) ├── Workloads │ ├── Dev (move myapp-dev here) │ ├── Staging (move myapp-staging here) │ └── Production (move myapp-production here) </code></pre> </div> <h2> Step 4: Apply Service Control Policies </h2> <p>SCPs are JSON IAM policies attached to OUs. They define the <strong>maximum permissions</strong> any principal in that OU can ever have — even the account root user cannot exceed them.</p> <p>Apply this SCP to the <strong>Production OU</strong> to prevent accidental deletion of critical resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyDangerousEKSOperations"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"eks:DeleteCluster"</span><span class="p">,</span><span class="w"> </span><span class="s2">"eks:DeleteNodegroup"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalTag/AllowDestructive"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyRDSDelete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"rds:DeleteDBInstance"</span><span class="p">,</span><span class="w"> </span><span class="s2">"rds:DeleteDBCluster"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RequireRegions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"route53:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cloudfront:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"waf:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"acm:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"support:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"health:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestedRegion"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"us-west-2"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>The region restriction SCP ensures no resources are accidentally created outside your approved regions. IAM, STS, Route53, and ACM are excluded because they are global services.</p> </blockquote> <h2> Step 5: Configure AWS IAM Identity Center (SSO) </h2> <p>AWS IAM Identity Center (formerly AWS SSO) lets your team log in with a single set of credentials across all accounts. It is far superior to creating IAM users in every account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → IAM Identity Center → Enable Steps: 1. Choose identity source: "Identity Center directory" (built-in, no external IdP needed) 2. Create users for each team member 3. Create Permission Sets (these become IAM roles in each account) 4. Assign users to accounts with appropriate Permission Sets </code></pre> </div> <p><strong>Create two Permission Sets:</strong></p> <p><em>AdministratorAccess (for platform engineers):</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: AdministratorAccess Session duration: 8 hours Managed policy: AdministratorAccess </code></pre> </div> <p><em>ReadOnlyAccess (for developers / auditors):</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: ReadOnlyAccess Session duration: 8 hours Managed policy: ReadOnlyAccess </code></pre> </div> <p><strong>Assign to accounts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp-dev: you → AdministratorAccess myapp-staging: you → AdministratorAccess myapp-production: you → AdministratorAccess Management: you → AdministratorAccess </code></pre> </div> <p><strong>Configure the AWS CLI for SSO:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run on your local machine</span> aws configure sso <span class="c"># When prompted:</span> SSO session name: admin SSO start URL: https://your-id.awsapps.com/start SSO region: us-east-1 SSO registration scopes: sso:account:access <span class="c"># After login, name each profile:</span> <span class="c"># Profile for dev/us-east-1: myapp-dev-use1</span> <span class="c"># Profile for dev/us-west-2: myapp-dev-usw2</span> <span class="c"># etc.</span> </code></pre> </div> <p>Your <code>~/.aws/config</code> will look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[sso-session admin]</span> <span class="py">sso_start_url</span> <span class="p">=</span> <span class="s">https://your-id.awsapps.com/start</span> <span class="py">sso_region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">sso_registration_scopes</span> <span class="p">=</span> <span class="s">sso:account:access</span> <span class="nn">[profile myapp-prod-use1]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">591120834781</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile myapp-prod-usw2]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">591120834781</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile myapp-dev-use1]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">557702566877</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> </code></pre> </div> <p><strong>Authenticate:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sso login <span class="nt">--sso-session</span> admin <span class="c"># Opens browser → log in → token saved locally for 8 hours</span> <span class="c"># Test:</span> aws sts get-caller-identity <span class="nt">--profile</span> myapp-prod-use1 </code></pre> </div> <blockquote> <p><strong>SCREENSHOT: IAM Identity Center showing SSO portal with all accounts and permission sets</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F02oyn6ra1zcetkf73vdp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F02oyn6ra1zcetkf73vdp.png" alt="IAM Identity Center showing SSO portal with all accounts and permission sets" width="800" height="442"></a></p> </blockquote> <h2> Step 6: GitHub OIDC — No Static AWS Keys in CI </h2> <p>This is one of the most important security decisions in the entire pipeline. Traditional CI/CD stores AWS access keys as GitHub Secrets. Those keys:</p> <ul> <li>Never expire automatically</li> <li>Are as powerful as the IAM user they belong to</li> <li>Can be exfiltrated from logs if misconfigured</li> </ul> <p>OIDC (OpenID Connect) eliminates static keys. GitHub Actions generates a short-lived JWT token for each workflow run. AWS validates this token cryptographically and exchanges it for a temporary STS credential that expires when the job ends.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ OIDC TOKEN FLOW │ │ │ │ GitHub Actions Job starts │ │ │ │ │ ▼ │ │ GitHub generates JWT (signed by GitHub's OIDC provider) │ │ Claims include: │ │ sub: repo:MatthewDipo/myapp:ref:refs/heads/main │ │ aud: sts.amazonaws.com │ │ │ │ │ ▼ │ │ aws sts assume-role-with-web-identity │ │ --role-arn arn:aws:iam::ACCOUNT:role/ROLE │ │ --web-identity-token &lt;JWT&gt; │ │ │ │ │ ▼ │ │ AWS validates JWT against GitHub's OIDC endpoint │ │ (https://token.actions.githubusercontent.com) │ │ │ │ │ ▼ │ │ Returns: AccessKeyId + SecretAccessKey + SessionToken │ │ (valid for 1 hour maximum, then automatically expire) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Terraform to create the OIDC provider (management account, us-east-1 only — it is global):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/iam/main.tf</span> <span class="c1"># Fetch GitHub's OIDC thumbprint automatically</span> <span class="nx">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_github_oidc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># IAM role for GitHub Actions CI — one per cluster</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_ci"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-github-ci"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">github_oidc_provider_arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Only main branch of your specific repo can assume this role</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="p">=</span> <span class="s2">"repo:${var.github_user}/${var.github_repo}:ref:refs/heads/main"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"github_ci"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-ci-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_ci</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ECRAuth"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ECRPush"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:InitiateLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:UploadLayerPart"</span><span class="p">,</span> <span class="s2">"ecr:CompleteLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:PutImage"</span><span class="p">,</span> <span class="s2">"ecr:DescribeImages"</span><span class="p">,</span> <span class="s2">"ecr:ListImages"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:ecr:*:${var.account_id}:repository/myapp"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"KMSCosignSign"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Sign"</span><span class="p">,</span> <span class="s2">"kms:GetPublicKey"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cosign_kms_key_arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"S3AuditWrite"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:PutObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${var.audit_bucket_arn}/ci-push-audit/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key security insight:</strong> The <code>Condition</code> block in the trust policy is critical. It restricts role assumption to:</p> <ol> <li>Only your specific repository (<code>repo:MatthewDipo/myapp</code>)</li> <li>Only the <code>main</code> branch</li> </ol> <p>A fork of your repository, or a branch other than <code>main</code>, cannot assume this role.</p> <h2> Step 7: ECR Repository in the Management Account </h2> <p>We store Docker images in the management account's ECR rather than per-environment accounts. This means one place to manage image lifecycle policies and one IAM policy for cross-account pull permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/ecr/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"IMMUTABLE"</span> <span class="c1"># Tags cannot be overwritten</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ECR runs basic CVE scan on every push</span> <span class="p">}</span> <span class="nx">encryption_configuration</span> <span class="p">{</span> <span class="nx">encryption_type</span> <span class="p">=</span> <span class="s2">"KMS"</span> <span class="nx">kms_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_lifecycle_policy"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rulePriority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Keep last 30 tagged images"</span> <span class="nx">selection</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tagStatus</span> <span class="p">=</span> <span class="s2">"tagged"</span> <span class="nx">tagPrefixList</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sha-"</span><span class="p">]</span> <span class="nx">countType</span> <span class="p">=</span> <span class="s2">"imageCountMoreThan"</span> <span class="nx">countNumber</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"expire"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rulePriority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Delete untagged images after 1 day"</span> <span class="nx">selection</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tagStatus</span> <span class="p">=</span> <span class="s2">"untagged"</span> <span class="nx">countType</span> <span class="p">=</span> <span class="s2">"sinceImagePushed"</span> <span class="nx">countUnit</span> <span class="p">=</span> <span class="s2">"days"</span> <span class="nx">countNumber</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"expire"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Cross-account pull policy — allows dev/staging/prod accounts to pull images</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_repository_policy"</span> <span class="s2">"cross_account"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"CrossAccountPull"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::${var.dev_account_id}:root"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::${var.staging_account_id}:root"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::${var.prod_account_id}:root"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><code>IMMUTABLE</code> tags mean that once you push <code>sha-abc123</code>, that tag forever points to that exact image digest. No one can silently overwrite an existing tag with a different image — a subtle but important supply chain security control.</p> <blockquote> <p><strong>SCREENSHOT: ECR repository showing images with sha- tags and scan results</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjuzifv2e29obgl1n0w8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjuzifv2e29obgl1n0w8.png" alt="ECR repository showing images with sha- tags and scan results" width="800" height="443"></a></p> </blockquote> <h2> Step 8: KMS Keys for Encryption at Rest </h2> <p>Each environment gets its own KMS key for encrypting:</p> <ul> <li>EKS Kubernetes secrets (etcd encryption)</li> <li>EBS volumes (Prometheus/Grafana/Velero PVCs)</li> <li>ECR images</li> <li>S3 buckets (Velero backups, CI audit logs) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/kms/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region}-main"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Rotate annually, automatically</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Enable IAM User Permissions"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"kms:*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Allow EKS"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Allow AutoScaling"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:CreateGrant"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/${var.env}-${var.region}-main"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Lesson learned:</strong> The <code>AWSServiceRoleForAutoScaling</code> must exist in the account before you can reference it in the KMS key policy. In fresh accounts, create this Service Linked Role first or AWS will reject the key policy with <code>MalformedPolicyDocumentException</code>. See Part 3 for the Terragrunt pattern that handles this.</p> </blockquote> <h2> Step 9: Terragrunt Root Configuration </h2> <p>Before writing any Terragrunt configs, establish the root <code>terragrunt.hcl</code> that all child configs inherit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/terragrunt.hcl (root)</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Parse path to extract env and region</span> <span class="c1"># e.g., live/production/us-east-1/eks → env=production, region=us-east-1</span> <span class="nx">path_parts</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">path_relative_to_include</span><span class="p">())</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">account_ids</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">=</span> <span class="s2">"557702566877"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"STAGING_ACCOUNT_ID"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="nx">management</span> <span class="p">=</span> <span class="s2">"MGMT_ACCOUNT_ID"</span> <span class="p">}</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Generate provider.tf in every child directory</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.region}" assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole" } default_tags { tags = { Environment = "${local.env}" ManagedBy = "Terraform" Project = "myapp" } } } </span><span class="no">EOF </span><span class="p">}</span> <span class="c1"># Generate backend.tf — S3 state, DynamoDB lock table</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-${local.account_id}"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>generate "provider"</code> block means you never write a <code>provider.tf</code> by hand. Every module automatically gets the correct AWS account and region based purely on its directory path. This is the key DRY benefit of Terragrunt.</p> <h2> Understanding <code>OrganizationAccountAccessRole</code> </h2> <p>When you create a member account via AWS Organizations, AWS automatically creates a role called <code>OrganizationAccountAccessRole</code> in that account. This role trusts your management account, allowing management account principals to assume it and perform actions in the member account.</p> <p>This is how Terraform (running with management account credentials) deploys infrastructure into dev, staging, and production without needing separate credentials per account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Management Account (your terminal / CI) │ │ sts:AssumeRole ▼ arn:aws:iam::591120834781:role/OrganizationAccountAccessRole │ │ (full AdministratorAccess in production account) ▼ Production Account resources </code></pre> </div> <h2> Step 10: Bootstrap S3 State Buckets </h2> <p>Before running any Terragrunt, each account needs its S3 bucket and DynamoDB table for Terraform state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run this once per account (adjust account ID and profile)</span> <span class="k">for </span>PROFILE <span class="k">in </span>myapp-dev-use1 myapp-staging-use1 myapp-prod-use1<span class="p">;</span> <span class="k">do </span><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">REGION</span><span class="o">=</span><span class="s2">"us-east-1"</span> <span class="c"># Create state bucket</span> aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Enable versioning (lets you recover from bad applies)</span> aws s3api put-bucket-versioning <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Enable encryption</span> aws s3api put-bucket-encryption <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--server-side-encryption-configuration</span> <span class="s1">'{ "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}] }'</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Block public access</span> aws s3api put-public-access-block <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--public-access-block-configuration</span> <span class="se">\</span> <span class="s2">"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Create DynamoDB lock table</span> aws dynamodb create-table <span class="se">\</span> <span class="nt">--table-name</span> myapp-terraform-locks <span class="se">\</span> <span class="nt">--attribute-definitions</span> <span class="nv">AttributeName</span><span class="o">=</span>LockID,AttributeType<span class="o">=</span>S <span class="se">\</span> <span class="nt">--key-schema</span> <span class="nv">AttributeName</span><span class="o">=</span>LockID,KeyType<span class="o">=</span>HASH <span class="se">\</span> <span class="nt">--billing-mode</span> PAY_PER_REQUEST <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nb">echo</span> <span class="s2">"State backend ready for account </span><span class="nv">$ACCOUNT_ID</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <h2> Summary </h2> <p>By the end of this part you have:</p> <ul> <li>✅ AWS Organizations with four accounts (management, dev, staging, production)</li> <li>✅ Service Control Policies protecting production from accidental destruction</li> <li>✅ AWS SSO for human access (no IAM users with permanent credentials)</li> <li>✅ GitHub OIDC provider enabling keyless CI authentication</li> <li>✅ ECR repository with immutable tags, cross-account pull, and lifecycle policies</li> <li>✅ KMS keys for encryption at rest in every environment</li> <li>✅ Terragrunt root config that automatically derives account/region from directory path</li> <li>✅ S3 + DynamoDB Terraform state backend per account</li> </ul> <p><strong>If this was useful, follow me on dev.to</strong> — I publish Part 3 next Wednesday covering the Infrastructure as Code — Terraform Modules + Terragrunt.</p> <p><strong>Questions?</strong> Drop them in the comments — I read and reply to every one.</p> <p><em>Next: Part 3 — Infrastructure as Code: Terraform Modules + Terragrunt</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> aws devops security terraform Part 1: Architecture Overview Matthew Wed, 11 Mar 2026 09:24:20 +0000 https://dev.to/matthewdipo/part-1-architecture-overview-20p2 https://dev.to/matthewdipo/part-1-architecture-overview-20p2 <h2> Building a Production-Grade DevSecOps Pipeline on AWS: A Complete Guide </h2> <blockquote> <p><strong>Series Overview:</strong> This 10-part series walks you through building a real-world, production-grade DevSecOps platform on AWS from scratch — the same architecture used at mature engineering organizations. By the end, you will have six EKS clusters, a GitOps delivery model, a hardened CI/CD pipeline, runtime security, full-stack observability, and automated disaster recovery.</p> <p><strong>Live system:</strong> Everything in this series is running in production right now.<br> Check it: <code>curl https://www.matthewoladipupo.dev/health</code><br> → <code>{"status":"healthy","region":"us-east-1"}</code></p> </blockquote> <p>This is Part 1 of a 10-part series. You can follow the full series here on dev.to.</p> <h2> Part 1: Architecture Overview &amp; What We Are Building </h2> <h3> Introduction </h3> <p>Most DevSecOps tutorials show you one piece of the puzzle — a Kubernetes cluster here, a CI pipeline there. This series is different. We build the entire platform end to end: infrastructure-as-code, multi-environment clusters, GitOps, security policy enforcement, runtime threat detection, secrets management, observability, canary deployments, autoscaling, and backup — all wired together the way a production engineering team would actually build it.</p> <p>Every component in this guide is running live. The screenshots you will see throughout this series come from the actual deployment at <code>matthewoladipupo.dev</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0wyx83zqs883ffi533o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0wyx83zqs883ffi533o.png" alt="Production-Grade DevSecOps Pipeline — Full Architecture Overview showing <br> 6 EKS clusters, ArgoCD hub-spoke GitOps, GitHub Actions CI/CD, and AWS <br> security services" width="800" height="545"></a><em>The complete system: GitHub → CI/CD → ECR → ArgoCD hub → 6 EKS clusters <br> across 3 environments and 2 AWS regions. Every component is covered in this <br> 10-part series.</em></p> <p><strong>What you will build:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Tools</th> </tr> </thead> <tbody> <tr> <td>Infrastructure as Code</td> <td>Terraform + Terragrunt</td> </tr> <tr> <td>Cloud Platform</td> <td>AWS (multi-account, multi-region)</td> </tr> <tr> <td>Container Orchestration</td> <td>Amazon EKS (6 clusters)</td> </tr> <tr> <td>GitOps Delivery</td> <td>ArgoCD (hub-spoke)</td> </tr> <tr> <td>CI/CD Pipeline</td> <td>GitHub Actions</td> </tr> <tr> <td>Container Security</td> <td>Trivy, Cosign, Distroless images</td> </tr> <tr> <td>Policy Enforcement</td> <td>Kyverno</td> </tr> <tr> <td>Runtime Security</td> <td>Falco</td> </tr> <tr> <td>Secrets Management</td> <td>AWS Secrets Manager + External Secrets Operator</td> </tr> <tr> <td>Monitoring</td> <td>Prometheus + Grafana (kube-prometheus-stack)</td> </tr> <tr> <td>Logging</td> <td>Fluent Bit → AWS CloudWatch</td> </tr> <tr> <td>Canary Deployments</td> <td>Argo Rollouts</td> </tr> <tr> <td>Autoscaling</td> <td>Karpenter + HPA</td> </tr> <tr> <td>Backup &amp; DR</td> <td>Velero + S3</td> </tr> <tr> <td>Web Application Firewall</td> <td>AWS WAF v2</td> </tr> <tr> <td>Threat Detection</td> <td>AWS GuardDuty</td> </tr> <tr> <td>DNS &amp; TLS</td> <td>Route53 + ACM (wildcard cert)</td> </tr> <tr> <td>Load Balancing</td> <td>AWS Load Balancer Controller</td> </tr> </tbody> </table></div> <h3> High-Level Architecture </h3> <p>The platform follows a <strong>hub-spoke GitOps model</strong> across three environments and two AWS regions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────────────┐ │ AWS ORGANIZATION │ │ │ │ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────────────┐ │ │ │ Management Acct │ │ Dev Account │ │ Staging Account │ │ │ │ (ECR, CI Audit) │ │ 557702566877 │ │ │ │ │ │ │ │ ┌─────────────┐ │ │ ┌────────┐ ┌────────┐ │ │ │ │ ┌───────────┐ │ │ │ EKS use1 │ │ │ │EKS use1│ │EKS usw2│ │ │ │ │ │ECR: myapp │ │ │ │ (public ep) │ │ │ │ │ │ │ │ │ │ │ └───────────┘ │ │ └─────────────┘ │ │ └────────┘ └────────┘ │ │ │ └──────────────────┘ │ ┌─────────────┐ │ └──────────────────────────┘ │ │ │ │ EKS usw2 │ │ │ │ │ │ (public ep) │ │ ┌──────────────────────────┐ │ │ │ └─────────────┘ │ │ Production Account │ │ │ └──────────────────┘ │ 591120834781 │ │ │ │ │ │ │ │ ┌────────┐ ┌────────┐ │ │ │ │ │EKS use1│ │EKS usw2│ │ │ │ │ │ HUB │ │ Spoke │ │ │ │ │ │(ArgoCD)│ │ │ │ │ │ │ └────────┘ └────────┘ │ │ │ └──────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Detailed Architecture Diagram </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> DEVELOPER WORKFLOW ────────────────── git push → GitHub │ ▼ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ GITHUB ACTIONS CI PIPELINE │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │ │ │ Lint + │ │ Trivy │ │ Docker │ │ Cosign │ │ Push to ECR │ │ │ │ Test │→ │ Scan │→ │ Build │→ │ Sign │→ │ (multi-region) │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────────────┘ │ │ │ │ │ OIDC (no static keys) │ │ │ IAM Roles per cluster │ │ └────────────────────────────────────────────────────────────────────┼────────────┘ │ ▼ myapp-gitops repo (image tag updated) │ ▼ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ ARGOCD HUB (myapp-production-use1) │ │ │ │ ApplicationSets (list generators per cluster) │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │ environments/ infrastructure/ argocd/ │ │ │ │ ├─ dev ├─ monitoring └─ project-*.yaml │ │ │ │ ├─ staging ├─ logging │ │ │ │ └─ production ├─ eso │ │ │ │ ├─ kyverno │ │ │ │ ├─ falco │ │ │ │ ├─ velero │ │ │ │ ├─ karpenter │ │ │ │ └─ argo-rollouts │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Syncs to ──────────────────────────────────────────────────────────────────► │ └──────┬──────────────────────────────────────────────────────────────────────────┘ │ VPC Peering (private endpoints) ├────────────────────────────────► myapp-production-usw2 ├────────────────────────────────► myapp-staging-use1 ├────────────────────────────────► myapp-staging-usw2 ├────────────────────────────────► myapp-dev-use1 └────────────────────────────────► myapp-dev-usw2 </code></pre> </div> <h3> Per-Cluster Component Stack </h3> <p>Every cluster runs the same security and observability baseline. The diagram below shows what runs on each cluster after bootstrapping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────┐ │ EKS CLUSTER (per-cluster stack) │ │ │ │ SYSTEM NAMESPACES │ │ ┌─────────────┐ ┌──────────────────┐ ┌────────────────────────┐ │ │ │ kube-system│ │ kyverno │ │ falco │ │ │ │ (aws-lbc, │ │ (policy engine) │ │ (runtime security) │ │ │ │ coreDNS) │ │ │ │ │ │ │ └─────────────┘ └──────────────────┘ └────────────────────────┘ │ │ │ │ ┌─────────────────────┐ ┌───────────────────────────────────────┐ │ │ │ external-secrets │ │ monitoring │ │ │ │ (ESO operator) │ │ Prometheus ── Grafana ── Alertmanager│ │ │ └─────────────────────┘ └───────────────────────────────────────┘ │ │ │ │ ┌───────────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ logging │ │ velero │ │ karpenter │ │ │ │ (Fluent Bit DS) │ │ (backup) │ │ (prod only)│ │ │ └───────────────────────┘ └──────────────────┘ └─────────────┘ │ │ │ │ ┌───────────────────────┐ ┌──────────────────────────────────────┐ │ │ │ argo-rollouts │ │ myapp (prod) / myapp (dev/staging) │ │ │ │ (canary controller) │ │ Rollout ──► canary ──► stable │ │ │ └───────────────────────┘ └──────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Network Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> AWS REGION: us-east-1 ┌───────────────────────────────────────────────────────────┐ │ VPC: production-use1 (10.20.0.0/16) │ │ │ │ ┌──────────────────────────┐ ┌──────────────────────┐ │ │ │ Public Subnets │ │ Private Subnets │ │ │ │ 10.20.0.0/24 (us-east-1a) 10.20.8.0/21 (use1a) │ │ │ │ 10.20.1.0/24 (us-east-1b) 10.20.16.0/21 (use1b) │ │ │ │ 10.20.2.0/24 (us-east-1c) 10.20.24.0/21 (use1c) │ │ │ │ │ │ │ │ │ │ NAT Gateways │ │ EKS Node Groups │ │ │ │ Internet Gateway │ │ EKS API endpoint │ │ │ │ ALB (internet-facing) │ │ (private only) │ │ │ └──────────────────────────┘ └──────────────────────┘ │ └───────────────────────────────────────────────────────────┘ │ │ │ VPC Peering │ │ (private, encrypted) │ ▼ ▼ ┌────────────────────┐ ┌────────────────────────────────┐ │ VPC: prod-usw2 │ │ VPC: staging-use1 │ │ (10.21.0.0/16) │ │ (10.10.0.0/16) │ └────────────────────┘ └────────────────────────────────┘ Internet Traffic Flow: User → Route53 (latency routing) → ALB → AWS WAF → ALB Target Group → Pod (via ALB target type: ip, directly to pod IP) → Response back to user </code></pre> </div> <h3> CI/CD Pipeline Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ GitHub: MatthewDipo/myapp │ │ │ │ Developer: git push origin main │ └──────────────────────────────┬──────────────────────────────────────┘ │ triggers ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ GitHub Actions: .github/workflows/ci.yaml │ │ │ │ Job 1: lint-and-test │ │ └─ npm ci &amp;&amp; npm test │ │ │ │ Job 2: scan (needs: lint-and-test) │ │ └─ trivy image --severity HIGH,CRITICAL │ │ │ │ Job 3: build-push-sign (needs: scan) │ │ ├─ OIDC → assume IAM role (no static AWS keys) │ │ ├─ docker build (distroless:nonroot base) │ │ ├─ docker push → ECR us-east-1 (management account) │ │ ├─ docker push → ECR us-west-2 (management account) │ │ ├─ cosign sign --key awskms:// (KMS signing key) │ │ └─ Write S3 audit log (image digest + timestamp) │ │ │ │ Job 4: update-gitops (needs: build-push-sign) │ │ └─ Patch myapp-gitops/apps/myapp/values-*.yaml (image.tag) │ └──────────────────────────────┬──────────────────────────────────────┘ │ git push to myapp-gitops ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ GitHub: MatthewDipo/myapp-gitops │ │ ArgoCD detects diff → triggers sync per cluster │ │ │ │ Production: Argo Rollouts Canary │ │ ├─ Step 1: setWeight 20% (canary gets 20% traffic) │ │ ├─ Step 2: pause 5 minutes │ │ ├─ Step 3: AnalysisRun (check error rate &lt; 1%) │ │ └─ Step 4: setWeight 100% (promote to stable) │ │ │ │ Dev/Staging: Rolling Update (immediate) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Security Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────┐ │ SECURITY LAYERS │ │ │ │ Layer 1: SUPPLY CHAIN SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Source: GitHub branch protection + required reviews │ │ │ │ Build: Trivy CVE scan (fails pipeline on HIGH/CRITICAL) │ │ │ │ Image: Distroless base (no shell, no package manager) │ │ │ │ Sign: Cosign + AWS KMS (cryptographic attestation) │ │ │ │ Verify: Kyverno policy blocks unsigned images at admission │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 2: INFRASTRUCTURE SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Network: Private EKS endpoints (staging/prod) │ │ │ │ VPC peering (no internet traversal between clusters) │ │ │ │ NetworkPolicies (deny-all default, allow explicitly) │ │ │ │ IAM: IRSA (pod-level IAM, no node-level credentials) │ │ │ │ OIDC for GitHub Actions (no static AWS keys in CI) │ │ │ │ Secrets: AWS Secrets Manager (never stored in Git) │ │ │ │ KMS: Envelope encryption for EKS secrets + ECR + S3 │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 3: WORKLOAD ADMISSION CONTROL (Kyverno) │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ ✗ Block privileged containers │ │ │ │ ✗ Block hostPath volume mounts │ │ │ │ ✗ Block containers running as root (uid=0) │ │ │ │ ✗ Block images without valid Cosign signature │ │ │ │ ✗ Block missing resource limits │ │ │ │ ✓ Allow myapp from ECR with valid signature │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 4: RUNTIME THREAT DETECTION (Falco) │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Alert on: shell spawned in container │ │ │ │ Alert on: sensitive file read (/etc/shadow, /etc/passwd) │ │ │ │ Alert on: unexpected outbound network connection │ │ │ │ Alert on: privilege escalation attempts │ │ │ │ Output: CloudWatch Logs (via Fluent Bit) │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 5: PERIMETER SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ AWS WAF v2: Managed rules (OWASP Top 10, SQL injection, XSS) │ │ │ │ AWS GuardDuty: Account-level threat intelligence │ │ │ │ ACM: TLS 1.2+ enforced, HTTP → HTTPS redirect │ │ │ └────────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> GitOps Repository Structure </h3> <p>Two GitHub repositories drive everything after the CI pipeline builds the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MatthewDipo/myapp-gitops/ │ ├── argocd/ │ ├── project-dev.yaml # AppProject: dev clusters │ ├── project-staging.yaml # AppProject: staging clusters │ └── project-production.yaml # AppProject: production clusters │ ├── environments/ │ ├── dev/ │ │ └── applicationset.yaml # Deploys myapp to dev-use1, dev-usw2 │ ├── staging/ │ │ └── applicationset.yaml # Deploys myapp to staging-use1, staging-usw2 │ └── production/ │ └── applicationset.yaml # Deploys myapp to prod-use1, prod-usw2 │ ├── infrastructure/ │ ├── monitoring/ │ │ ├── applicationset.yaml # kube-prometheus-stack (4 clusters) │ │ ├── prometheus-values.yaml │ │ └── alert-rules/ │ │ └── applicationset.yaml # PrometheusRule CRDs │ ├── logging/ │ │ └── applicationset.yaml # Fluent Bit DaemonSet (6 clusters) │ ├── eso/ │ │ └── applicationset.yaml # External Secrets Operator (6 clusters) │ ├── kyverno/ │ │ └── applicationset.yaml # Kyverno + policies (6 clusters) │ ├── falco/ │ │ └── applicationset.yaml # Falco DaemonSet (6 clusters) │ ├── velero/ │ │ └── applicationset.yaml # Velero (6 clusters) │ ├── karpenter/ │ │ ├── applicationset.yaml # Karpenter controller (2 prod) │ │ └── nodepools/ │ │ └── applicationset.yaml # NodePool + EC2NodeClass CRDs │ └── argo-rollouts/ │ └── applicationset.yaml # Argo Rollouts controller (2 prod) │ └── apps/ └── myapp/ # Helm chart for the application ├── Chart.yaml ├── values.yaml # Default values ├── values-dev.yaml ├── values-staging.yaml ├── values-production.yaml └── templates/ ├── deployment.yaml # Deployment OR Rollout (conditional) ├── service.yaml ├── service-canary.yaml # Canary service (prod only) ├── ingress.yaml ├── hpa.yaml ├── networkpolicy.yaml ├── serviceaccount.yaml ├── external-secret.yaml ├── servicemonitor.yaml # Prometheus scraping └── analysis-template.yaml </code></pre> </div> <h3> Infrastructure Repository Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MatthewDipo/myapp-infra/ │ ├── _modules/ # Reusable Terraform modules │ ├── vpc/ │ ├── eks/ │ ├── kms/ │ ├── iam/ │ ├── ecr/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ │ └── live/ # Terragrunt configurations (per env/region) ├── terragrunt.hcl # Root config (provider, remote state) ├── dev/ │ ├── us-east-1/ │ │ ├── vpc/terragrunt.hcl │ │ ├── kms/terragrunt.hcl │ │ ├── eks/terragrunt.hcl │ │ ├── iam/terragrunt.hcl │ │ └── fluent-bit-irsa/terragrunt.hcl │ └── us-west-2/ │ └── ... (mirror of use1) ├── staging/ │ ├── us-east-1/ │ │ ├── vpc/ kms/ eks/ iam/ │ │ ├── waf/terragrunt.hcl │ │ ├── guardduty/terragrunt.hcl │ │ ├── eso-irsa/terragrunt.hcl │ │ └── fluent-bit-irsa/terragrunt.hcl │ └── us-west-2/ │ └── ... └── production/ ├── us-east-1/ │ ├── vpc/ kms/ eks/ iam/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ └── us-west-2/ └── ... </code></pre> </div> <h3> AWS Account Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────┐ │ AWS Organizations Root │ │ │ │ ┌───────────────────────────────────────┐ │ │ │ Management / Root Account │ │ │ │ • AWS SSO (Identity Center) │ │ │ │ • ECR repositories (shared) │ │ │ │ • S3 CI audit bucket │ │ │ │ • GitHub OIDC provider │ │ │ └───────────────────────────────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Dev │ │ Staging │ │Production│ │ │ │ Account │ │ Account │ │ Account │ │ │ │ │ │ │ │ │ │ │ │ 2x EKS │ │ 2x EKS │ │ 2x EKS │ │ │ │ VPCs │ │ VPCs │ │ VPCs │ │ │ │ KMS keys │ │ KMS keys │ │ KMS keys │ │ │ │ Secrets │ │ Secrets │ │ Secrets │ │ │ │ Manager │ │ Manager │ │ Manager │ │ │ └──────────┘ └──────────┘ └──────────┘ │ └──────────────────────────────────────────────┘ </code></pre> </div> <h3> Technology Decision Rationale </h3> <p>Understanding WHY each tool was chosen matters as much as knowing HOW to configure it.</p> <p><strong>Terragrunt over plain Terraform</strong><br> Terragrunt provides DRY (Don't Repeat Yourself) configuration. Without it, you would have near-identical <code>provider</code>, <code>backend</code>, and <code>module</code> blocks repeated across 18+ directories. Terragrunt's <code>include</code> and <code>dependency</code> blocks eliminate 90% of that duplication while keeping each environment's overrides explicit and auditable.</p> <p><strong>ArgoCD hub-spoke over fleet management per cluster</strong><br> Running ArgoCD on every cluster is operationally expensive. The hub-spoke model means one ArgoCD installation manages all six clusters via VPC peering. This single pane of glass dramatically simplifies debugging — you see all cluster states in one place.</p> <p><strong>Kyverno over OPA/Gatekeeper</strong><br> Kyverno policies are written in YAML and operate on the same resource schema as Kubernetes objects. OPA/Gatekeeper requires learning Rego, a purpose-built policy language. For Kubernetes-native teams, Kyverno is faster to adopt and maintain.</p> <p><strong>External Secrets Operator over Sealed Secrets</strong><br> Sealed Secrets encrypts secrets and commits them to Git — meaning the encrypted value is your source of truth. ESO keeps secrets out of Git entirely: the secret lives in AWS Secrets Manager, and ESO fetches it at runtime with IRSA credentials. This is a fundamentally stronger posture because a compromised Git repo never exposes secret material.</p> <p><strong>Argo Rollouts over plain Kubernetes rolling updates</strong><br> Rolling updates are binary — you either roll forward or roll back. Argo Rollouts adds weighted traffic splitting between stable and canary versions, analysis runs (automated metric-based promotion gates), and pause steps for manual inspection. A canary deployment that automatically fails back on a rising error rate is far safer than a rolling update you monitor manually.</p> <p><strong>Distroless base images</strong><br> The Google distroless <code>nonroot</code> image contains only the application runtime and its direct dependencies — no shell (<code>sh</code>, <code>bash</code>), no package manager (<code>apt</code>, <code>apk</code>), no <code>curl</code> or <code>wget</code>. If an attacker achieves code execution inside the container, they have almost no tools available to escalate or exfiltrate. Combined with Falco alerting on shell spawning, you get both prevention and detection.</p> <h3> Cost Estimate </h3> <blockquote> <p>These are rough estimates for running the full stack 24/7 in AWS us-east-1 + us-west-2. Production workloads should be sized to actual usage.</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Approx. Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>6x EKS cluster control planes</td> <td>~$216 ($0.10/hr × 6)</td> </tr> <tr> <td>12x EC2 t3.medium nodes (2 per cluster)</td> <td>~$300</td> </tr> <tr> <td>6x EBS volumes (gp2, 50–100GB each)</td> <td>~$60</td> </tr> <tr> <td>NAT Gateways (2 per VPC, 6 VPCs)</td> <td>~$250</td> </tr> <tr> <td>ALBs (production + monitoring)</td> <td>~$30</td> </tr> <tr> <td>Route53 hosted zone + queries</td> <td>~$5</td> </tr> <tr> <td>ACM (free)</td> <td>$0</td> </tr> <tr> <td>ECR storage</td> <td>~$5</td> </tr> <tr> <td>CloudWatch logs (Fluent Bit)</td> <td>~$15</td> </tr> <tr> <td>S3 (Velero backups, CI audit)</td> <td>~$10</td> </tr> <tr> <td>AWS WAF</td> <td>~$15</td> </tr> <tr> <td>GuardDuty</td> <td>~$10</td> </tr> <tr> <td>Secrets Manager</td> <td>~$2</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$918/month</strong></td> </tr> </tbody> </table></div> <blockquote> <p><strong>Cost reduction tip:</strong> For a demo/learning setup, use 1 node per cluster, <code>t3.small</code> instances, and skip the second region. This brings the cost to approximately $200–300/month.</p> </blockquote> <h3> Prerequisites </h3> <p>Before starting Part 2, ensure you have the following:</p> <p><strong>Tools to install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># AWS CLI v2</span> curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> unzip awscliv2.zip <span class="o">&amp;&amp;</span> <span class="nb">sudo</span> ./aws/install <span class="c"># Terraform 1.6+</span> brew <span class="nb">install </span>terraform <span class="c"># or download from terraform.io</span> <span class="c"># Terragrunt 0.54+</span> brew <span class="nb">install </span>terragrunt <span class="c"># or download from terragrunt.gruntwork.io</span> <span class="c"># kubectl</span> curl <span class="nt">-LO</span> <span class="s2">"https://dl.k8s.io/release/</span><span class="si">$(</span>curl <span class="nt">-sL</span> https://dl.k8s.io/release/stable.txt<span class="si">)</span><span class="s2">/bin/linux/amd64/kubectl"</span> <span class="nb">sudo install</span> <span class="nt">-o</span> root <span class="nt">-g</span> root <span class="nt">-m</span> 0755 kubectl /usr/local/bin/kubectl <span class="c"># Helm 3</span> curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash <span class="c"># ArgoCD CLI</span> curl <span class="nt">-sSL</span> <span class="nt">-o</span> argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 <span class="nb">sudo install</span> <span class="nt">-m</span> 555 argocd /usr/local/bin/argocd <span class="c"># Cosign</span> curl <span class="nt">-sSfL</span> https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 <span class="se">\</span> <span class="nt">-o</span> cosign <span class="o">&amp;&amp;</span> <span class="nb">sudo install</span> <span class="nt">-m</span> 0755 cosign /usr/local/bin/cosign <span class="c"># Trivy</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>wget apt-transport-https gnupg lsb-release wget <span class="nt">-qO</span> - https://aquasecurity.github.io/trivy-repo/deb/public.key | <span class="nb">sudo </span>apt-key add - <span class="nb">echo</span> <span class="s2">"deb https://aquasecurity.github.io/trivy-repo/deb </span><span class="si">$(</span>lsb_release <span class="nt">-sc</span><span class="si">)</span><span class="s2"> main"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/trivy.list <span class="nb">sudo </span>apt-get update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>trivy </code></pre> </div> <p><strong>AWS accounts needed:</strong></p> <ul> <li>AWS Organization root account (or a management account)</li> <li>Three member accounts: dev, staging, production</li> <li>AWS SSO (IAM Identity Center) configured</li> </ul> <p><strong>GitHub:</strong></p> <ul> <li>Two repositories: <code>myapp</code> (application code) and <code>myapp-gitops</code> (manifests)</li> <li>A Personal Access Token for ArgoCD to pull from the GitOps repo</li> </ul> <p><strong>Domain name:</strong></p> <ul> <li>A registered domain you control (we use <code>matthewoladipupo.dev</code>)</li> <li>Nameservers pointed to Route53</li> </ul> <h3> Series Roadmap </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Part</th> <th>Title</th> </tr> </thead> <tbody> <tr> <td><strong>Part 1</strong></td> <td>Architecture Overview (this article)</td> </tr> <tr> <td><strong>Part 2</strong></td> <td>AWS Foundation: Organizations, SSO, and Account Setup</td> </tr> <tr> <td><strong>Part 3</strong></td> <td>Infrastructure as Code: Terraform Modules + Terragrunt</td> </tr> <tr> <td><strong>Part 4</strong></td> <td>EKS Multi-Cluster: Six Clusters Across Two Regions</td> </tr> <tr> <td><strong>Part 5</strong></td> <td>GitOps with ArgoCD: Hub-Spoke Model</td> </tr> <tr> <td><strong>Part 6</strong></td> <td>CI/CD Pipeline: GitHub Actions, Trivy, Cosign, ECR</td> </tr> <tr> <td><strong>Part 7</strong></td> <td>Secrets Management: AWS Secrets Manager + ESO + IRSA</td> </tr> <tr> <td><strong>Part 8</strong></td> <td>Security Stack: Kyverno, Falco, WAF, GuardDuty</td> </tr> <tr> <td><strong>Part 9</strong></td> <td>Observability: Prometheus, Grafana, Fluent Bit, CloudWatch</td> </tr> <tr> <td><strong>Part 10</strong></td> <td>Resilience: Karpenter, HPA, Argo Rollouts, Velero</td> </tr> <tr> <td><strong>Live Data</strong></td> <td>Appendix</td> </tr> <tr> <td><strong>Codes</strong></td> <td>Runbook</td> </tr> </tbody> </table></div> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: ArgoCD UI showing all 6 clusters registered and all ApplicationSets synced</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx4bvv9xqr6w1fcyb3ck.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx4bvv9xqr6w1fcyb3ck.png" alt="ArgoCD UI showing all 6 clusters registered and all ApplicationSets synced" width="800" height="441"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: Grafana dashboard — Node CPU/Memory overview across production clusters</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz9aks78837grslqzru4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz9aks78837grslqzru4.png" alt="Grafana dashboard — Node CPU/Memory overview across production clusters" width="800" height="445"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: GitHub Actions workflow showing all steps passing (lint → scan → build → sign → push → gitops update)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ylgumnafddwkd6jmqyc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ylgumnafddwkd6jmqyc.png" alt="GitHub Actions workflow showing all steps passing (lint → scan → build → sign → push → gitops update" width="800" height="444"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: AWS ECR showing signed image with cosign attestation tag</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4l8a7we3a8zkfthkivi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4l8a7we3a8zkfthkivi.png" alt="AWS ECR showing signed image with cosign attestation tag" width="800" height="443"></a></p> </blockquote> <p><strong>If this was useful, follow me on dev.to</strong> — I will publish Part 2 next Wednesday covering the AWS Organizations + IAM Identity Center setup.<br> <strong>Questions?</strong> Drop them in the comments — I read and reply to every one.</p> <p><em>Next up: Part 2 — AWS Foundation: Organizations, SSO, and Account Setup</em></p> <p><strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a> — every operational procedure for this pipeline.</p> devops kubernetes aws terraform